Registration with allowfrom set does not work?

[MrBMT]

Unless I'm doing something really stupid here, I don't seem to be able to be able to update domains when allowfrom has been set during registration.

I use ip addr to retrieve all the CIDR ranges assigned to my server, then register as follows:

root@london ~ curl -s -X POST http://auth.mydnsdomain.co.uk:8080/register \
--data '{"allowfrom": ["127.0.0.1/8", "::1/128", "139.XXX.XXX.153/24", "192.XXX.XXX.197/17", "2a01:XXXX::XXXX:XXXX:XXXX:923d/64", "fe80::XXXX:XXXX:XXXX:923d/64"]}' | python -m json.tool
{
    "allowfrom": [
        "127.0.0.1/8",
        "::1/128",
        "139.XXX.XXX.153/24",
        "192.XXX.XXX.197/17",
        "2a01:XXXX::XXXX:XXXX:XXXX:923d/64",
        "fe80::XXXX:XXXX:XXXX:923d/64"
    ],
    "fulldomain": "1937e870-d239-4cb2-99b2-d1979c2608e3.auth.mydnsdomain.co.uk",
    "password": "54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ",
    "subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3",
    "username": "p0624f07-b4a7-4d61-8d28-4f7e63621952"
}

Note: IP addresses have been partially replaced with XXX/XXXX, the real values however are used for the commands.

I then attempt to update that sub-domain:

root@london ~ curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update \
-H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" \
-H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" \
--data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "error": "forbidden"
}

However the update fails. acme-dns displays the following:

DEBU[1269] Created new user                              user=p0624f07-b4a7-4d61-8d28-4f7e63621952
ERRO[1542] Update not allowed from IP                    error=ip_unauthorized

If I register without seting allowfrom, everything works fine:

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/register | python -m json.tool
{
    "allowfrom": [],
    "fulldomain": "ad53ddb7-38ad-42fd-9d65-854769764df0.auth.mydnsdomain.co.uk",
    "password": "rqSI-YHVf12jfw-FgkQzJrhyUJ_rU9E4_37WP_6h",
    "subdomain": "ab53ddb7-38ad-42fd-9d65-854769764da0",
    "username": "945b3pf0-cc24-4008-9c99-270b13534d4q"
}

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update \
-H "X-Api-User: 945b3pf0-cc24-4008-9c99-270b13534d4q" \
-H "X-Api-Key: rqSI-YHVf12jfw-FgkQzJrhyUJ_rU9E4_37WP_6h" \
--data '{"subdomain": "ab53ddb7-38ad-42fd-9d65-854769764da0", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "txt": "___validation_token_recieved_from_the_ca___"
}

Am I missing something here, or is it broken?

[joohoi]

All I can think of is using reverse proxy in front of acme-dns and / or corresponding configuration values of:

# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

For debugging reasons I think adding the IP address that we're matching against would be beneficial to have in the error message.

[MrBMT]

Thanks for the quick reply!

# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

Is how my configuration is currently set, I also tried switching use_header to true, but then quickly realised you could do something like this to bypass it, which completely defeats the point of enabling it in the first place:

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update -H "X-Forwarded-For: 127.0.0.1" -H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" -H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" --data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "txt": "___validation_token_recieved_from_the_ca___"
}

As you mentioned, putting a reverse proxy in front of it then setting the config that way is a potential workaround however.

I agree, having the IP address you're matching against in the debug message would definitely be very beneficial here.

Thanks for the work you've put in to this project by the way!

[joohoi]

I just added logging for the IP address being matched in #46 . It's now available in master branch. This should help us to debug your issue.

[MrBMT]

Awesome, thank you!

I just tried running the same request again, both on the server locally and from an external permitted location, and it seems the IP isn't being retrieved:

DEBU[0042] Checking if update is permitted from IP       ip="<nil>"
ERRO[0042] Update not allowed from IP                    error=ip_unauthorized
DEBU[0071] Checking if update is permitted from IP       ip="<nil>"
ERRO[0071] Update not allowed from IP                    error=ip_unauthorized

I'd assumed that when use_header was set to false it would use the IP address that the POST request was sent from, but is this perhaps not the case?

Cheers

[joohoi]

This seems to be a bug indeed. acme-dns is supposed to use the request.RemoteAddr if use_header = false. I'll fix it in the coming days.