Docker: multiple issues #3

New Issue

Eclair5748 · 2024-03-30T04:40:44Z

Eclair5748 commented

2024-03-30 04:40:44 +00:00

This issue consolidates several issues related to 4get's current Docker setup.

Publicly accessible private resources

The Apache configurations used by docker-entrypoint.sh (http.conf and https.conf) do not properly restrict access to private resources. The configurations lack a block like the following to deny access:

# deny access to private resources
<Directory "/var/www/html/4get/data">
    Require all denied
    <Files "*">
        Require all denied
    </Files>
</Directory>

Additionally, the line Options Indexes FollowSymLinks (http.conf and https.conf) exposes the directory structure and file names to anyone accessing the directory URL. It should be changed to Options FollowSymLinks.

These issues make sensitive directories like data/proxies publicly accessible and easily traversable for instances using the official Docker image.

Breakage caused by anti-bot measures

Commits 2976c0a6a4 and fea09d9580 introduced filtering of certain HTTP headers (like X-Forwarded-For) to block proxy traffic:

// check header key
if(in_array($headerkey, config::FILTERED_HEADER_KEYS)){
  
  $bad_header = true;
  break;
}

src: https://git.lolcat.ca/lolcat/4get/src/commit/dd3469aeb67631fd49b4f7a78a036187628eda44/lib/frontend.php#L101-L106

However, headers like X-Forwarded-For are also typically forwarded by reverse proxies. This results in all requests being blocked as if they came from a proxy or bot, potentially preventing legitimate traffic from reaching the 4get instance.

Setting an environment variable like FOURGET_FILTERED_HEADER_KEYS="not-a-real-header" also failed as a workaround during testing.

Use of `restart: always` in `docker-compose.yaml`

The restart: always policy in the docker-compose.yaml file causes the container to always restart, regardless of the exit status.

Generally, the unless-stopped policy is preferred as it allows for more control over container restarts. It prevents unintended restarts of manually stopped containers, while still automatically restarting containers that exit unexpectedly or crash.

This issue consolidates several issues related to 4get's current Docker setup. ## Publicly accessible private resources The Apache configurations used by [docker-entrypoint.sh](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/docker-entrypoint.sh) ([`http.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/http.conf) and [`https.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/https.conf)) do not properly restrict access to private resources. The configurations lack a block like the following to deny access: ```apacheconf # deny access to private resources <Directory "/var/www/html/4get/data"> Require all denied <Files "*"> Require all denied </Files> </Directory> ``` Additionally, the line `Options Indexes FollowSymLinks` ([`http.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/http.conf#L19) and [`https.conf`](https://git.lolcat.ca/lolcat/4get/src/commit/573a11a7087f5d2948f7de46a6fb34343dab062a/docker/apache/https.conf#L24)) exposes the directory structure and file names to anyone accessing the directory URL. It should be changed to `Options FollowSymLinks`. These issues make sensitive directories like `data/proxies` publicly accessible and easily traversable for instances using the [official Docker image](https://hub.docker.com/r/luuul/4get). ## Breakage caused by anti-bot measures Commits [2976c0a6a4](https://git.lolcat.ca/lolcat/4get/commit/2976c0a6a4c3ef72784a92867edd7df32ef67d3a) and [fea09d9580](https://git.lolcat.ca/lolcat/4get/commit/fea09d95801489cc273843e319b3e98e7ce63b00) introduced filtering of certain HTTP headers (like `X-Forwarded-For`) to block proxy traffic: ```php // check header key if(in_array($headerkey, config::FILTERED_HEADER_KEYS)){ $bad_header = true; break; } ``` src: [https://git.lolcat.ca/lolcat/4get/src/commit/dd3469aeb67631fd49b4f7a78a036187628eda44/lib/frontend.php#L101-L106](https://git.lolcat.ca/lolcat/4get/src/commit/dd3469aeb67631fd49b4f7a78a036187628eda44/lib/frontend.php#L101-L106) However, headers like `X-Forwarded-For` are also typically forwarded by reverse proxies. This results in all requests being blocked as if they came from a proxy or bot, potentially preventing legitimate traffic from reaching the 4get instance. Setting an environment variable like `FOURGET_FILTERED_HEADER_KEYS="not-a-real-header"` also failed as a workaround during testing. ## Use of `restart: always` in `docker-compose.yaml` The [`restart: always` policy in the `docker-compose.yaml` file](https://git.lolcat.ca/lolcat/4get/src/commit/12b67af69c7a3fe4d82b5a30fe0e1eeb6db2fc34/docker-compose.yaml#L7) causes the container to always restart, regardless of the exit status. Generally, the `unless-stopped` policy is preferred as it allows for more control over container restarts. It prevents unintended restarts of manually stopped containers, while still automatically restarting containers that exit unexpectedly or crash.

lolcat commented

2024-04-16 01:33:16 +00:00

Hello...

I've been trying to get in touch with @throwaway, the guy who helps me with docker shit, but his account has been nuked because I couldn't be bothered to migrate gitea data to the new server. Anyway, I'll try and look at this myself but don't expect much since I really really hate docker.

Take care xx

Hello... I've been trying to get in touch with @throwaway, the guy who helps me with docker shit, but his account has been nuked because I couldn't be bothered to migrate gitea data to the new server. Anyway, I'll try and look at this myself but don't expect much since I really really hate docker. Take care xx

Eclair5748 commented

2024-04-17 08:32:53 +00:00

So that's what happened to the account I had on here before lol

I'd be happy to open a PR with all of the necessary changes, but I can't fork the repository.

So that's what happened to the account I had on here before lol I'd be happy to open a PR with all of the necessary changes, but I can't fork the repository.

screenshot.png

253 KiB

❤️ 1

lolcat commented

2024-04-17 14:20:57 +00:00

I have updated your account permissions

The apache2 setup guide securely sets up everything: https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md

Maybe you can use this as reference.

I have updated your account permissions The apache2 setup guide securely sets up everything: https://git.lolcat.ca/lolcat/4get/src/branch/master/docs/apache2.md Maybe you can use this as reference.

👍 1

Eclair5748 referenced this issue

2024-04-19 02:08:16 +00:00

Address 'Docker: multiple issues' #7

lolcat referenced this issue from a commit

2024-04-19 02:17:52 +00:00

docker: restrict access to private resources

lolcat referenced this issue from a commit

2024-04-19 02:17:52 +00:00

docker: use restart: unless-stopped instead

lolcat commented

2024-04-20 15:29:09 +00:00

@throwaway (love u bb) should have fixed all of this, feel free to re-open if issues arises

lolcat closed this issue

2024-04-20 15:29:12 +00:00

Eclair5748 commented

2024-04-21 01:34:28 +00:00

~~Unfortunately the search is still broken on my end since the fag protection commits~~

~~Search works correctly when using an image built from commit 81502d4721, but is non-functional with any later versions~~

~~I've tried specifing the env vars FOURGET_HEADER_REGEX=not-a-real-header-0,not-a-real-header-1 and FOURGET_FILTERED_HEADER_KEYS=not-a-real-header-0,not-a-real-header-1, but no luck so far~~~

~~If it's useful, the following variables are being templated into data/config.php:~~

const FILTERED_HEADER_KEYS = "not-a-real-header-0,not-a-real-header-1";
const HEADER_REGEX = "not-a-real-header-0,not-a-real-header-1";
const SERVICE_HOST = "10.43.193.177";
const PORT = "tcp://10.43.193.177:80";
const SERVICE_PORT = 80;
const PROTO = "http";
const PORT_80_TCP_ADDR = "10.43.193.177";
const PORT_80_TCP_PORT = 80;
const PORT_80_TCP_PROTO = "tcp";
const PORT_80_TCP = "tcp://10.43.193.177:80";
const SERVICE_PORT_HTTP = 80;

Turns out disabling the proxies for the scrapers solved the issue, so maybe the issue was caused by some other commit after 81502d4721 ?

~~Unfortunately the search is still broken on my end since the `fag protection` commits~~ ~~Search works correctly when using an image built from commit 81502d4721, but is non-functional with any later versions~~ ~~I've tried specifing the env vars `FOURGET_HEADER_REGEX=not-a-real-header-0,not-a-real-header-1` and `FOURGET_FILTERED_HEADER_KEYS=not-a-real-header-0,not-a-real-header-1`, but no luck so far~~~ ~~If it's useful, the following variables are being templated into `data/config.php`:~~ ```php const FILTERED_HEADER_KEYS = "not-a-real-header-0,not-a-real-header-1"; const HEADER_REGEX = "not-a-real-header-0,not-a-real-header-1"; const SERVICE_HOST = "10.43.193.177"; const PORT = "tcp://10.43.193.177:80"; const SERVICE_PORT = 80; const PROTO = "http"; const PORT_80_TCP_ADDR = "10.43.193.177"; const PORT_80_TCP_PORT = 80; const PORT_80_TCP_PROTO = "tcp"; const PORT_80_TCP = "tcp://10.43.193.177:80"; const SERVICE_PORT_HTTP = 80; ``` Turns out disabling the proxies for the scrapers solved the issue, so maybe the issue was caused by some other commit after 81502d4721 ?

Eclair5748 reopened this issue

2024-04-21 01:34:28 +00:00

lolcat commented

2024-04-24 23:32:31 +00:00

@throwaway does your latest commit fix the issues talked about here?

Sign in to join this conversation.

No Label

No Milestone

No project

No Assignees

2 Participants

Notifications

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: lolcat/4get#3

Docker: multiple issues #3

Publicly accessible private resources

Breakage caused by anti-bot measures

Use of restart: always in docker-compose.yaml

Use of `restart: always` in `docker-compose.yaml`