Registration with allowfrom set does not work? about acme-dns HOT 5 CLOSED

All I can think of is using reverse proxy in front of acme-dns and / or corresponding configuration values of:

# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

For debugging reasons I think adding the IP address that we're matching against would be beneficial to have in the error message.

from acme-dns.

This seems to be a bug indeed. acme-dns is supposed to use the request.RemoteAddr if use_header = false. I'll fix it in the coming days.

from acme-dns.

Thanks for the quick reply!

# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

Is how my configuration is currently set, I also tried switching use_header to true, but then quickly realised you could do something like this to bypass it, which completely defeats the point of enabling it in the first place:

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update -H "X-Forwarded-For: 127.0.0.1" -H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" -H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" --data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "txt": "___validation_token_recieved_from_the_ca___"
}

As you mentioned, putting a reverse proxy in front of it then setting the config that way is a potential workaround however.

I agree, having the IP address you're matching against in the debug message would definitely be very beneficial here.

Thanks for the work you've put in to this project by the way!

from acme-dns.

I just added logging for the IP address being matched in #46 . It's now available in master branch. This should help us to debug your issue.

from acme-dns.

Awesome, thank you!

I just tried running the same request again, both on the server locally and from an external permitted location, and it seems the IP isn't being retrieved:

DEBU[0042] Checking if update is permitted from IP       ip="<nil>"
ERRO[0042] Update not allowed from IP                    error=ip_unauthorized
DEBU[0071] Checking if update is permitted from IP       ip="<nil>"
ERRO[0071] Update not allowed from IP                    error=ip_unauthorized

I'd assumed that when use_header was set to false it would use the IP address that the POST request was sent from, but is this perhaps not the case?

Cheers

from acme-dns.