New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ANNOUNCEMENT: tunnel consent page now requires the tunnel creator's public IP in order to access tunnel content. #598
Comments
Ummm... I use this through Paperspace, not a local computer. Any ideas on how I would get the information needed so that I can continue generating my pictures? |
hey @Yggdrasil777, that's an interesting use-case...
or if you like wget better:
lmk if that helps you out! |
Yes, that helped. I am in. Thank you for the command. I couldn't find it anywhere, have been searching since I made the comment. Kinda stopped my UE5 thing looking for the solution. The terminal helped. |
Hey @hamnv, |
Is the code of the server is open source and updated? |
Hello, I tried to use localtunnel, I put the public IP and it doesn't work, there is another alternative to validate? |
Hey all, I'm hitting the same problem as well -- entering the public IP doesn't work. |
Code in python: |
@FabianSilva and @Atlinx Are you running the client locally or on a remote server? There's no other way to validate unless you run a firefox/chrome extension to add a specific header to all requests to bypass the consent page for you locally. |
Yup the code for the server part of localtunnel is opensourced (https://github.com/localtunnel/server) The version running on the public localtunnel server is slightly more modified with the consent page middleware and not publically available (because abusers would just read the code and circumvent what I've implemented) |
Hey @TheBoroer, I'm using the ip listed in the ipconfig. I also tried using the IP from a "whats my IP" search on google, and that didn't work either. I'm hosting locally on a Windows machine and I need to test the site from mobile devices. I initially tried directly connecting to my computer's private IP address, but that didn't work so I ended up using localtunnel to access the site from my phone. The alternative of using extensions to pass a header probably won't work for me since I'm using mobile devices. |
entering the public IP doesn't work. and my webhooks are now broken anyway thanks to this :( |
Can you try to just go to ipv4.icanhazip.com in a browser on that Windows machine and enter that IP into your tunnel? The IP listed in iponfig won't work because it's highly likely its a LAN IP that's shown there. If you happen to have a dual WAN setup (two internet connections) then that might cause issues. Let me think of an alternative to using the endpoint IP as a password (but not breaking backwards compatibility with older localtunnel clients) 🤔 |
Sorry for breaking stuff for you 😔 |
Btw if anyone of you guys wanna do some one on one troubleshooting, dm me on Twitter! @TheBoroer |
Using the ip from |
Can you please send me your tunnel subdomain and the first and last digits of your IP? I can check to see what IP it saved in the db for you. I would love to troubleshoot this issue and see if it's something i can workaround or fix |
my case: https://fabian-development.loca.lt -> 190.210.192.113 |
doesn't work |
hey @felix068, can you please let me know:
|
hey @FabianSilva I don't even see that tunnel in the tunnels db 🤔 that's probably why it's not working. Could you please let me know what lt client version you're using ( |
@TheBoroer |
hmm i'll have to troubleshoot this further... I would have loved to do a randomized password for all tunnels but I don't have permissions to push a new client version to npm plus it needs to also be backwards compatible with older clients. so that's the constraints im working within when coming up with a solution. I'm still evaluating other password-like ways of stopping unsuspecting users from entering phishing portals but for now the endpoint IP is the easiest...i'll just have to figure out why some users (like you) aren't able to access their tunnels 🤔 I dislike having to enforce password protection in general but the endpoint IP was the only thing I could use that's unique per tunnel endpoint AND could be backwards compatible with older versions of localtunnel (i don't have npm publish permissions atm so I can't even publish updated clients). About leaking your ip, your IP was always being exposed even before this recent change via special localtunnel http headers. Ngrok also exposes the tunnel endpoint's real IPs via localtunnel isn't meant as an anonymizing service. It's meant to be a simple tool to help you temporarily share your localhost webdev progress with others or make webhook development easier so devs dont have to open ports in order to test out webhooks. |
@TheBoroer edit : I just tested in IPv6 and it doesn't work either |
as felix068, I'm also on 2.0.2 |
@TheBoroer The site I defined before you changed things works fine. I'm even using GRPC with your bypass headers and it works. However, I changed the Subdomain to see it would work - it failed with my public IP (provider AT&T). I suspect that my original subdomain will fail with my users - right? |
Thank you very much, I had a code that I had not touched in a few weeks and now it was asking me for the ip, Your comment with the python code solved my problem. |
Thank you @hamnv, your solution worked. I was previously trying to follow what localtunnel was telling me on the page, but their suggestions didn't work. |
The "password" doesn't work with a VPN |
The reason why it doesn't work with VPN is because your internet is running on a secret/unknown IP address. The code can't know the IP of this secret server and that's why its not working. |
If you're on macOS and using Private Relay, make sure to pause/disable it as its masks your IP. |
@TheBoroer I am facing same issue. ipv4 public address shows incorrect. I have given internet from my mobile hotspot to local linux machine. How can I resolve this? |
The Meta Cloud API webhook is making a GET with a query parameter that my webservice should send back in the http body response with http status = 200 to validate the webhook. |
ig this is unusable now rip. |
just grabbed this to try and see if the activity pub api I'm working on can be reached by mastadon... I think this verification page is preventing it |
Hello @TheBoroer, localatunnel has been a great tool in my magicbox until this verification feature was implemented. Unfortunately, like other users' experience, I had difficulty validating with the IP generated by ipv4.icanhazip.com and I'd now have to source for an alternative. I hope this will be fix asap. Why not include a simple command like |
this simply doesn't work now |
Unusable for me too. I don't understand why we need to provide an IP which could be different depending on ipv6 or v4. Just a generated or custom passphrase is enough and simpler. |
@TheBoroer, I think there may be a need to review this feature. Even Microsoft has introduced "Dev Tunnel" into Visual Studio, enabling Developer to seamlessly generate both static, dynamic, publicly accessible, and privately accessible as well as organization-level accessible URLs which are automatically mapped to the project during the development stage, thereby enabling ease of Debugging and integration testing. |
Are you not getting the link with the IP ? thats whats been happening to me lately |
The reason for doing it the IP way for now is that a generated or custom password would need changes to the localtunnel-client npm package and I don't have access to push new versions to that package. I only maintain the public localtunnel server so I'm doing what I can with what I have. shrugs shoulders
Same reason as my first quote reply above :(
It should work now. Those who had issues with the tunnel password before, could you please try again? If you access https://loca.lt/mytunnelpassword (instead of the icanhazip.com url) from the same computer/wifi-network where your localtunnel client is running from it should give you the value that's stored in the db for your tunnel. |
To get your password ente this in your local browser |
@TheBoroer Hey, thank you for all your work :) |
@Black-Platypus unfortunately the tunnel reminder is not in this repository directly. The developers purposely put the friendly reminder on all of the https://*.loca.lt domains, so before visiting any localtunnel server, you will see the page. Even if the server doesn't exist. The friendly reminder page is hosted on localtunnel's main server and nobody can access it but the developers. I'm also wondering why the server repo doesn't include this page either, because supposedly this is the main server that hosts localtunnel. TL;DR As far as I'm aware, there is no way to remove, customize, or modify anything about the friendly reminder page. The only way that you can bypass it is by having a non-browser user-agent (it can be anything), or setting the HTTP request header |
Hey @Black-Platypus, And basically do something like:
Does that help you? |
@Parking-Master Thanks, that's what I figured Do I have the right idea with these assumptions?
Are there other things to worry about? For example, will two devices with the same public IP still match a DB entry, even if their user agent string differs slightly? Or is the exact user agent entered and matched against as well? |
@Black-Platypus you pretty much got it figured out! Only thing to correct is; if The bullet points on the db lookup and saving consents to the db are correct. There's some logic for rate limiting and blacklisting bots that spam the server with hundreds of tunnels per second but that's only on the new tunnel endpoint, not the tunnel subdomains so shouldn't be affecting your users. So yeah, there shouldn't be anything else going on that you have to worry about.
same public ip w/ an valid consent in the db = automatic bypassing of the page regardless of what the user-agent is |
Thank you, @TheBoroer ! |
Hi @TheBoroer, I've been rummaging around in the localtunnel/server source code. And I can't find any reference to this page. |
Hey, the localtunnel-guard (the proxy that handles the tunnel reminder page + logic) is a separate closed source expressjs+proxy app atm so you'll have to come up with your own solution until i clean up some code and release it |
Loud and clear, thanks. |
Hey everyone,
It saddens me to be forced to add yet another annoying thing to the public localtunnel server but...
As of 2 minutes ago, all tunnels now require a real user to enter the endpoint IP address (which acts like your tunnel link's password) on the consent page.
Showing and having the users click a continue button in order to access the tunnel content didn't really do too much to fight of people hosting phishing portals via localtunnel. I've also been getting an enormous amount of phishing/abuse notices from various organizations worldwide, forwarded notices from my hosting provider, and even have been put on notice that I will be responsible for costs related to removing IPs from various IP blacklists...
I'm currently building an abuse reporting tool for these orgs to use that'll automate banning users hosting phishing portals but until that's built & tested this new password-protection way of abuse fighting will have to do.
Sorry for any inconvenience...
PS. If localtunnel doesn't work for your use case for whatever reason, feel free to checkout other alternatives like https://ngrok.io
If anyone has any other suggestions on easy ways to fight phishing/malware portals from using this service, i'm all ears!
The text was updated successfully, but these errors were encountered: