Hostname Verification Fails w/ Correct Hostname in Whitelist

[majorgear1]

I recently migrated my sabnzbd from docker to kubernetes, and I cannot get the host_whitelist to work.

The old hostname was sabnzbd.mydomain, and the new one is sabnzbd.cluster.mydomain.

I've tried about 5-6 different versions on the host_whitelist and none of them have worked.

• host_whitelist = sabnzbd.mydomain, sabnzbd.cluster.mydomain
  host_whitelist = sabnzbd.cluster.mydomain
  host_whitelist = sabnzbd.cluster.mydomain, 10.42.0.0
  host_whitelist = sabnzbd.cluster.mydomain, 10.42.0.0, 10.42.1.3
  host_whitelist = sabnzbd.cluster.mydomain, 10.42.0.0, 10.42.1.3
  host_whitelist = sabnzbd.cluster.mydomain, 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16

But I get the error "Access denied - Hostname verification failed: redacted" in my browser every time.

From the logs

Code: Select all

2024-08-22 09:57:25,192::INFO::[notifier:157] Sending notification: Warning - Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.1.3 (X-Forwarded-For: 10.42.0.0) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0] (type=warning, job_cat=None)
2024-08-22 09:57:25,192::WARNING::[interface:387] Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.1.3 (X-Forwarded-For: 10.42.0.0) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0]
2024-08-22 09:57:26,282::WARNING::[interface:387] Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.0.11 (X-Forwarded-For: 10.42.0.1) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0]
2024-08-22 09:57:27,254::WARNING::[interface:387] Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.2.3 (X-Forwarded-For: 10.42.0.0) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0]

so you can see the hostname matches the whitelist, but the sender IP changes.

I sanitized my sabnzbd.ini file and tried to includedit below, but since this is my first post, the forums said I cannot post links. So even though I didn't see any links in the file, it must interpret a setting as a link. I can post the .ini file someplace else ( pastebin maybe? ) if needed.

[sander]

host_whitelist: only the FQDN is needed. Did you restart sabnzbd? (That might be needed)


"Just add the host name or the full name (‘FQDN’) shown in the error message to host_whitelist in the Specials page of the Config. You can also edit the sabnzbd.ini directly. So, if you use for example http://sabnzbd.special.com:8080/ to access SABnzbd, then add sabnzbd.special.com to host_whitelist (separate multiple hostnames by a comma), or
Access SABnzbd directly through its IP address,"

Does it work if you use the IP address?

I don't think the proxy/forwarder matters, but let's keep that in mind.

[majorgear1]

You probably missed my setting that I posted .
From the error message it sees hostname as "sabnzbd.cluster.mydomain"

Which is exactly what I had in my host whitelist setting posted above

host_whitelist = sabnzbd.cluster.mydomain

The source IP comes from a load balanced reverse proxy in my kubernetes cluster, so it can change. If I want to use an IP address, I would need to whitelist a subdomain like 10.0.0.0/8 for it to work. I tried that, but not by itself.

And yes, I restart sabnzbd after each edit. Note that I cannot access the Web interface since the only way in is through the proxy.

[majorgear1]

I opened a shell into the container and it's /config has a different sabnzbd.ini file than the config folder I told it to mount at "/config" does.

I fact I deleted the .ini file from the mounted filesystem, and the container still has one.

So think this is a container config issue , not a host_whitelist issue. I'll post the solution once I figure it out. its weird because I'm on my 5th container migration, and the others have all worked as expected.

[majorgear1]

I see what I did wrong, I've done this before . VolumeMounts is a list volumes to mount, I duplicated a bit too much when creating the deployment manifest :

Code: Select all

          volumeMounts:
            - name: sabnzbd-config-claim
              mountPath: /config
          volumeMounts:
            - name: sabnzbd-incomplete-claim
              mountPath: /incomplete
          volumeMounts:
            - name: sabnzbd-downloads-claim
              mountPath: /downloads

when it should be

Code: Select all

          volumeMounts:
            - name: sabnzbd-config-claim
              mountPath: /config
            - name: sabnzbd-incomplete-claim
              mountPath: /incomplete
            - name: sabnzbd-downloads-claim
              mountPath: /downloads

For reference, the app automatically generated the .ini file with host w/l line:

Code: Select all

root@sabnzbd-df9694867-7nfzn:/config# cat sabnzbd.ini | grep whitelist
host_whitelist = sabnzbd-df9694867-7nfzn,

I'll update my manifest file and mark this as solved( if possible ) !

[sander]

> You probably missed my setting that I posted .

No, I did not.

Anyway:

About your misconfiguration:

Inside a docker (so also SABnbzbd inside docker) you're able to deduct what is exposed, and what is not. I'm thinking about writing code in SABnzbd that detects if config.ini and complete are not on an exposed drive, and give a warning.

[majorgear1]

> You probably missed my setting that I posted .

No, I did not.

Anyway:

About your misconfiguration:

Inside a docker (so also SABnbzbd inside docker) you're able to deduct what is exposed, and what is not. I'm thinking about writing code in SABnzbd that detects if config.ini and complete are not on an exposed drive, and give a warning.

That could be useful. In my case, maybe a debug message "request denied by host (hostname) not in host_whitelist ( whitelist contents ) .

But really it was me being in a rush and not validating my manifest file before doing a commit&push to my gitops repo.

[rogahna]

That could be useful. In my case, maybe a debug message "request denied by host (hostname) not in host_whitelist ( whitelist contents ) .

But really it was me being in a rush and not validating my manifest file before doing a commit&push to my gitops repo.

Are there specific tools or scripts that can help automate this validation process?

[safihre]

How do you envision this?