-
Notifications
You must be signed in to change notification settings - Fork 935
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REST interface returning 403 with "Host not permitted" #3340
Comments
FWIW, my Dockerfile follows
|
Hi, I have the same problem with my debian install. Interesting thing, I can connect to the interface directely from the server with this command : "lynx 127.0.0.1:8888". Can change the listen port of puma by modify this file : /var/lib/gems/3.1.0/gems/oxidized-0.31.0/lib/oxidized/config.rb |
Hi, Same comportement. I can access directly to the IP:Port of the server, but when i use reverse proxy front of service i get a 403 from puma web server . It's seem to be related as the usage of reverse proxy , may missing some headers ? any help would be great . |
Hi,
Thanks a lot |
Please post the rest_api part of your config file. |
Confirmed
As others have mentioned, I am also using a reverse proxy (nginx) in front of my install to add TLS support and authentication. Based on the other comments, it appears to be some issue when forwarding from any reverse proxy, as I see people mentioning lighttpd, puma, and nginx. |
I've just tested nginx (debian bookworm) + official oxidized container (running with podman) + basic authentication (Oxidized-web v.0.14.0, Oxidized v.0.31.0), and it works fine. I suppose that you have a configuration problem on your proxy. My nginx code:
|
I did an upgrade of ubuntu from a working 22.04 to 24.04 with the exact same issue. You are not alone in this. |
Same here, upgrade to ubuntu 24.04 and now "Host not permitted". |
For anyone else trying to get oxidized running on Ubuntu 24.04 through a reverse proxy. Here's my workaround. Edit the file /var/lib/gems/3.2.0/gems/oxidized-web-0.14.0/lib/oxidized/web/webapp.rb and add the line Save the file and restart oxidized and you should be good to go. |
Adding: set :host_authorization, { permitted_hosts: [] } worked for me as well. Thanks @scarygary! Any idea what triggered this? |
Not exactly sure, since I'm not a coder. The web application/api in Oxidized is built using Sinatra and that in turn is using Rack::Protection to protect against typical web attacks. Somewhere along the way I guess an update started requiring a list of allowed hosts. The line I added allows all hosts to connect and since I'm using a reverse proxy to add tls and authentication I really don't see this as a security issue. Besides, the interface is only available locally anyway. You can find info on Sinatra as well as Rack::Protection at https://github.com/sinatra/ |
I added an issue in ytti/oxidized-web to hopefully get this added there. |
I am still not been able to reproduce :-( Can someone test starting oxidized with |
After a few hours spend on this issue, I still cannot reproduce it. I will not work on it until I am provided with information which permit me to reproduce:
|
Building from scratch using Alpine Linux 3.21 as a base. When attempting to access the web UI, I get a 403 error and the text "Host not permitted". The web UI does not appear to log anything. Any help in debugging this?
The text was updated successfully, but these errors were encountered: