SABnzbd Forums


http://45.79.196.47/

Hostname Verification Fails w/ Correct Hostname in Whitelist

http://45.79.196.47/viewtopic.php?t=26722

Page 1 of 1

Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 11:18 am
by majorgear1
I recently migrated my sabnzbd from docker to kubernetes, and I cannot get the host_whitelist to work.

The old hostname was sabnzbd.mydomain, and the new one is sabnzbd.cluster.mydomain.

I've tried about 5-6 different versions on the host_whitelist and none of them have worked.

  • host_whitelist = sabnzbd.mydomain, sabnzbd.cluster.mydomain
    host_whitelist = sabnzbd.cluster.mydomain
    host_whitelist = sabnzbd.cluster.mydomain, 10.42.0.0
    host_whitelist = sabnzbd.cluster.mydomain, 10.42.0.0, 10.42.1.3
    host_whitelist = sabnzbd.cluster.mydomain, 10.42.0.0, 10.42.1.3
    host_whitelist = sabnzbd.cluster.mydomain, 10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16
But I get the error "Access denied - Hostname verification failed: redacted" in my browser every time.

From the logs

Code: Select all

2024-08-22 09:57:25,192::INFO::[notifier:157] Sending notification: Warning - Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.1.3 (X-Forwarded-For: 10.42.0.0) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0] (type=warning, job_cat=None)
2024-08-22 09:57:25,192::WARNING::[interface:387] Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.1.3 (X-Forwarded-For: 10.42.0.0) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0]
2024-08-22 09:57:26,282::WARNING::[interface:387] Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.0.11 (X-Forwarded-For: 10.42.0.1) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0]
2024-08-22 09:57:27,254::WARNING::[interface:387] Refused connection with hostname "sabnzbd.cluster.mydomain" from: ::ffff:10.42.2.3 (X-Forwarded-For: 10.42.0.0) [Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0]
so you can see the hostname matches the whitelist, but the sender IP changes.

I sanitized my sabnzbd.ini file and tried to includedit below, but since this is my first post, the forums said I cannot post links. So even though I didn't see any links in the file, it must interpret a setting as a link. I can post the .ini file someplace else ( pastebin maybe? ) if needed.

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 11:25 am
by sander
host_whitelist: only the FQDN is needed. Did you restart sabnzbd? (That might be needed)


"Just add the host name or the full name (‘FQDN’) shown in the error message to host_whitelist in the Specials page of the Config. You can also edit the sabnzbd.ini directly. So, if you use for example http://sabnzbd.special.com:8080/ to access SABnzbd, then add sabnzbd.special.com to host_whitelist (separate multiple hostnames by a comma), or
Access SABnzbd directly through its IP address,"

Does it work if you use the IP address?

I don't think the proxy/forwarder matters, but let's keep that in mind.

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 12:23 pm
by majorgear1
You probably missed my setting that I posted .
From the error message it sees hostname as "sabnzbd.cluster.mydomain"

Which is exactly what I had in my host whitelist setting posted above

host_whitelist = sabnzbd.cluster.mydomain

The source IP comes from a load balanced reverse proxy in my kubernetes cluster, so it can change. If I want to use an IP address, I would need to whitelist a subdomain like 10.0.0.0/8 for it to work. I tried that, but not by itself.

And yes, I restart sabnzbd after each edit. Note that I cannot access the Web interface since the only way in is through the proxy.

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 1:01 pm
by majorgear1
I opened a shell into the container and it's /config has a different sabnzbd.ini file than the config folder I told it to mount at "/config" does.

I fact I deleted the .ini file from the mounted filesystem, and the container still has one.

So think this is a container config issue , not a host_whitelist issue. I'll post the solution once I figure it out. its weird because I'm on my 5th container migration, and the others have all worked as expected.

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 1:08 pm
by majorgear1
I see what I did wrong, I've done this before . VolumeMounts is a list volumes to mount, I duplicated a bit too much when creating the deployment manifest :

Code: Select all

          volumeMounts:
            - name: sabnzbd-config-claim
              mountPath: /config
          volumeMounts:
            - name: sabnzbd-incomplete-claim
              mountPath: /incomplete
          volumeMounts:
            - name: sabnzbd-downloads-claim
              mountPath: /downloads
when it should be

Code: Select all

          volumeMounts:
            - name: sabnzbd-config-claim
              mountPath: /config
            - name: sabnzbd-incomplete-claim
              mountPath: /incomplete
            - name: sabnzbd-downloads-claim
              mountPath: /downloads
For reference, the app automatically generated the .ini file with host w/l line:

Code: Select all

root@sabnzbd-df9694867-7nfzn:/config# cat sabnzbd.ini | grep whitelist
host_whitelist = sabnzbd-df9694867-7nfzn,
I'll update my manifest file and mark this as solved( if possible ) !

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 4:44 pm
by sander
> You probably missed my setting that I posted .

No, I did not.

Anyway:

About your misconfiguration:

Inside a docker (so also SABnbzbd inside docker) you're able to deduct what is exposed, and what is not. I'm thinking about writing code in SABnzbd that detects if config.ini and complete are not on an exposed drive, and give a warning.

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: August 22nd, 2024, 5:24 pm
by majorgear1
sander wrote: August 22nd, 2024, 4:44 pm > You probably missed my setting that I posted .

No, I did not.

Anyway:

About your misconfiguration:

Inside a docker (so also SABnbzbd inside docker) you're able to deduct what is exposed, and what is not. I'm thinking about writing code in SABnzbd that detects if config.ini and complete are not on an exposed drive, and give a warning.
That could be useful. In my case, maybe a debug message "request denied by host (hostname) not in host_whitelist ( whitelist contents ) .

But really it was me being in a rush and not validating my manifest file before doing a commit&push to my gitops repo.

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: October 2nd, 2024, 2:08 am
by rogahna
That could be useful. In my case, maybe a debug message "request denied by host (hostname) not in host_whitelist ( whitelist contents ) .

But really it was me being in a rush and not validating my manifest file before doing a commit&push to my gitops repo.
Are there specific tools or scripts that can help automate this validation process?

Re: Hostname Verification Fails w/ Correct Hostname in Whitelist

Posted: October 2nd, 2024, 2:50 am
by safihre
How do you envision this?
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited