ip_macth/2 always returns false

processone / ejabberd-contrib

Growing and curated ejabberd contributions repository - PR or ask to join !

http://ejabberd.im

248 stars 137 forks source link

ip_macth/2 always returns false #255

Closed ltAldoRaine closed 5 years ago

ltAldoRaine commented 5 years ago

CentOS 6 Ejabberd 18.03

I have installed mod_rest and in ejabberd.yml configured it like these:

  mod_rest:
    allowed_ips:
      - "127.0.0.1"

but any time i'm posting stanzas it says that "Error: REST request is rejected by service"

i put some logs in mod_rest.erl and after some tests found out that:

ip_matches(ClientIp, AllowedValues) always returns false

check_member_option(Host, ClientIp, allowed_ips) ->
    true = case try_get_option(Host, allowed_ips, all) of
               all -> true;
               AllowedValues -> ip_matches(ClientIp, AllowedValues)
           end;

prefiks commented 5 years ago

Hello,

Are you sure your connections are incoming from 127.0.0.1, sometimes ipv6 addresses are used like FFFF::127.0.0.1 and those will not match.

If you set ejabberd loglevel to 5 you should get ejabberd_http log entry with ip address of incoming connection, could you see what ip is really used?

ltAldoRaine commented 5 years ago

Hello

These is my log:

capture

prefiks commented 5 years ago

So that ip addrees is "::FFFF:172.17.0.70", as you may guess that doesn't match 127.0.0.1

ltAldoRaine commented 5 years ago

so, i have to change configuration like this?
mod_rest: allowed_ips:

"::FFFF:172.17.0.70"

prefiks commented 5 years ago

Yes it should work if your ip don't change.

ltAldoRaine commented 5 years ago

now it's working for all ips.. am i doing something wrong?

capture

prefiks commented 5 years ago

Your mask is wrong, ipv6 addresses are 128 bits long, so using 32 will only match only small part of addresses which are same in both cases, use 128 to just match single ip or 120 to all but last last byte, etc.

ltAldoRaine commented 5 years ago

Thanks !