lolcat
/
4get
6
13
Fork 4
Code Issues 13 Pull Requests Packages Projects Releases Wiki Activity

Docker: multiple issues #3

New Issue
Closed
opened 2024-03-30 04:40:44 +00:00 by Eclair5748 · 7 comments
Eclair5748 commented 2024-03-30 04:40:44 +00:00
Contributor
Copy Link

This issue consolidates several issues related to 4get's current Docker setup.

Publicly accessible private resources

The Apache configurations used by docker-entrypoint.sh (http.conf and https.conf) do not properly restrict access to private resources. The configurations lack a block like the following to deny access:

# deny access to private resources
<Directory "/var/www/html/4get/data">
    Require all denied
    <Files "*">
        Require all denied
    </Files>
</Directory>

Additionally, the line Options Indexes FollowSymLinks (http.conf and https.conf) exposes the directory structure and file names to anyone accessing the directory URL. It should be changed to Options FollowSymLinks.

These issues make sensitive directories like data/proxies publicly accessible and easily traversable for instances using the official Docker image.

Breakage caused by anti-bot measures

Commits 2976c0a6a4 and fea09d9580 introduced filtering of certain HTTP headers (like X-Forwarded-For) to block proxy traffic:

// check header key
if(in_array($headerkey, config::FILTERED_HEADER_KEYS)){
  
  $bad_header = true;
  break;
}

src: https://git.lolcat.ca/lolcat/4get/src/commit/dd3469aeb67631fd49b4f7a78a036187628eda44/lib/frontend.php#L101-L106

However, headers like X-Forwarded-For are also typically forwarded by reverse proxies. This results in all requests being blocked as if they came from a proxy or bot, potentially preventing legitimate traffic from reaching the 4get instance.

Setting an environment variable like FOURGET_FILTERED_HEADER_KEYS="not-a-real-header" also failed as a workaround during testing.

Use of restart: always in docker-compose.yaml

The restart: always policy in the docker-compose.yaml file causes the container to always restart, regardless of the exit status.

Generally, the unless-stopped policy is preferred as it allows for more control over container restarts. It prevents unintended restarts of manually stopped containers, while still automatically restarting containers that exit unexpectedly or crash.

This issue consolidates several issues related to 4get's current Docker setup. ## Publicly accessible private resources The Apache configurations used by [docker-entrypoint.sh](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/docker-entrypoint.sh) ([`http.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/http.conf) and [`https.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/https.conf)) do not properly restrict access to private resources. The configurations lack a block like the following to deny access: ```apacheconf # deny access to private resources <Directory "/var/www/html/4get/data"> Require all denied <Files "*"> Require all denied </Files> </Directory> ``` Additionally, the line `Options Indexes FollowSymLinks` ([`http.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/http.conf#L19) and [`https.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/https.conf#L24)) exposes the directory structure and file names to anyone accessing the directory URL. It should be changed to `Options FollowSymLinks`. These issues make sensitive directories like `data/proxies` publicly accessible and easily traversable for instances using the [official Docker image](https://hub.docker.com/r/luuul/4get). ## Breakage caused by anti-bot measures Commits [2976c0a6a4](https://git.lolcat.ca/lolcat/4get/commit/2976c0a6a4c3ef72784a92867edd7df32ef67d3a) and [fea09d9580](https://git.lolcat.ca/lolcat/4get/commit/fea09d95801489cc273843e319b3e98e7ce63b00) introduced filtering of certain HTTP headers (like `X-Forwarded-For`) to block proxy traffic: ```php // check header key if(in_array($headerkey, config::FILTERED_HEADER_KEYS)){ $bad_header = true; break; } ``` src: [https://git.lolcat.ca/lolcat/4get/src/commit/dd3469aeb67631fd49b4f7a78a036187628eda44/lib/frontend.php#L101-L106](https://git.lolcat.ca/lolcat/4get/src/commit/dd3469aeb67631fd49b4f7a78a036187628eda44/lib/frontend.php#L101-L106) However, headers like `X-Forwarded-For` are also typically forwarded by reverse proxies. This results in all requests being blocked as if they came from a proxy or bot, potentially preventing legitimate traffic from reaching the 4get instance. Setting an environment variable like `FOURGET_FILTERED_HEADER_KEYS="not-a-real-header"` also failed as a workaround during testing. ## Use of `restart: always` in `docker-compose.yaml` The [`restart: always` policy in the `docker-compose.yaml` file](https://git.lolcat.ca/lolcat/4get/src/commit/12b67af69c7a3fe4d82b5a30fe0e1eeb6db2fc34/docker-compose.yaml#L7) causes the container to always restart, regardless of the exit status. Generally, the `unless-stopped` policy is preferred as it allows for more control over container restarts. It prevents unintended restarts of manually stopped containers, while still automatically restarting containers that exit unexpectedly or crash.
lolcat commented 2024-04-16 01:33:16 +00:00
Owner
Copy Link

Hello...

I've been trying to get in touch with @throwaway, the guy who helps me with docker shit, but his account has been nuked because I couldn't be bothered to migrate gitea data to the new server. Anyway, I'll try and look at this myself but don't expect much since I really really hate docker.

Take care xx

Hello... I've been trying to get in touch with @throwaway, the guy who helps me with docker shit, but his account has been nuked because I couldn't be bothered to migrate gitea data to the new server. Anyway, I'll try and look at this myself but don't expect much since I really really hate docker. Take care xx
Eclair5748 commented 2024-04-17 08:32:53 +00:00
Author
Contributor
Copy Link

So that's what happened to the account I had on here before lol

I'd be happy to open a PR with all of the necessary changes, but I can't fork the repository.

So that's what happened to the account I had on here before lol I'd be happy to open a PR with all of the necessary changes, but I can't fork the repository.
screenshot.png
253 KiB
screenshot.png
❤️ 1
lolcat commented 2024-04-17 14:20:57 +00:00
Owner
Copy Link

I have updated your account permissions

The apache2 setup guide securely sets up everything: https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md

Maybe you can use this as reference.

I have updated your account permissions The apache2 setup guide securely sets up everything: https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md Maybe you can use this as reference.
👍 1
lolcat commented 2024-04-20 15:29:09 +00:00
Owner
Copy Link

@throwaway (love u bb) should have fixed all of this, feel free to re-open if issues arises

@throwaway (love u bb) should have fixed all of this, feel free to re-open if issues arises
Eclair5748 commented 2024-04-21 01:34:28 +00:00
Author
Contributor
Copy Link

Unfortunately the search is still broken on my end since the fag protection commits

Search works correctly when using an image built from commit 81502d4721, but is non-functional with any later versions

I've tried specifing the env vars FOURGET_HEADER_REGEX=not-a-real-header-0,not-a-real-header-1 and FOURGET_FILTERED_HEADER_KEYS=not-a-real-header-0,not-a-real-header-1, but no luck so far~

If it's useful, the following variables are being templated into data/config.php:

const FILTERED_HEADER_KEYS = "not-a-real-header-0,not-a-real-header-1";
const HEADER_REGEX = "not-a-real-header-0,not-a-real-header-1";
const SERVICE_HOST = "10.43.193.177";
const PORT = "tcp://10.43.193.177:80";
const SERVICE_PORT = 80;
const PROTO = "http";
const PORT_80_TCP_ADDR = "10.43.193.177";
const PORT_80_TCP_PORT = 80;
const PORT_80_TCP_PROTO = "tcp";
const PORT_80_TCP = "tcp://10.43.193.177:80";
const SERVICE_PORT_HTTP = 80;

Turns out disabling the proxies for the scrapers solved the issue, so maybe the issue was caused by some other commit after 81502d4721 ?

~~Unfortunately the search is still broken on my end since the `fag protection` commits~~ ~~Search works correctly when using an image built from commit 81502d4721, but is non-functional with any later versions~~ ~~I've tried specifing the env vars `FOURGET_HEADER_REGEX=not-a-real-header-0,not-a-real-header-1` and `FOURGET_FILTERED_HEADER_KEYS=not-a-real-header-0,not-a-real-header-1`, but no luck so far~~~ ~~If it's useful, the following variables are being templated into `data/config.php`:~~ ```php const FILTERED_HEADER_KEYS = "not-a-real-header-0,not-a-real-header-1"; const HEADER_REGEX = "not-a-real-header-0,not-a-real-header-1"; const SERVICE_HOST = "10.43.193.177"; const PORT = "tcp://10.43.193.177:80"; const SERVICE_PORT = 80; const PROTO = "http"; const PORT_80_TCP_ADDR = "10.43.193.177"; const PORT_80_TCP_PORT = 80; const PORT_80_TCP_PROTO = "tcp"; const PORT_80_TCP = "tcp://10.43.193.177:80"; const SERVICE_PORT_HTTP = 80; ``` Turns out disabling the proxies for the scrapers solved the issue, so maybe the issue was caused by some other commit after 81502d4721 ?
lolcat commented 2024-04-24 23:32:31 +00:00
Owner
Copy Link

@throwaway does your latest commit fix the issues talked about here?

@throwaway does your latest commit fix the issues talked about here?
lolcat commented 2024-06-20 04:01:49 +00:00
Owner
Copy Link

Latest commit should fix this, feel free to re-open if other issues arises :)

Latest commit should fix this, feel free to re-open if other issues arises :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: lolcat/4get#3
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?