[GH-ISSUE #45] Registration with allowfrom set does not work? #15

New issue

Closed

opened 2026-03-13 15:21:40 +03:00 by kerem · 5 comments

kerem commented 2026-03-13 15:21:40 +03:00

Owner

Copy link

Originally created by @MrBMT on GitHub (Mar 1, 2018).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/45

Unless I'm doing something really stupid here, I don't seem to be able to be able to update domains when allowfrom has been set during registration.

I use ip addr to retrieve all the CIDR ranges assigned to my server, then register as follows:

root@london ~ curl -s -X POST http://auth.mydnsdomain.co.uk:8080/register \
--data '{"allowfrom": ["127.0.0.1/8", "::1/128", "139.XXX.XXX.153/24", "192.XXX.XXX.197/17", "2a01:XXXX::XXXX:XXXX:XXXX:923d/64", "fe80::XXXX:XXXX:XXXX:923d/64"]}' | python -m json.tool
{
    "allowfrom": [
        "127.0.0.1/8",
        "::1/128",
        "139.XXX.XXX.153/24",
        "192.XXX.XXX.197/17",
        "2a01:XXXX::XXXX:XXXX:XXXX:923d/64",
        "fe80::XXXX:XXXX:XXXX:923d/64"
    ],
    "fulldomain": "1937e870-d239-4cb2-99b2-d1979c2608e3.auth.mydnsdomain.co.uk",
    "password": "54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ",
    "subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3",
    "username": "p0624f07-b4a7-4d61-8d28-4f7e63621952"
}

Note: IP addresses have been partially replaced with XXX/XXXX, the real values however are used for the commands.

I then attempt to update that sub-domain:

root@london ~ curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update \
-H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" \
-H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" \
--data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "error": "forbidden"
}

However the update fails. acme-dns displays the following:

DEBU[1269] Created new user                              user=p0624f07-b4a7-4d61-8d28-4f7e63621952
ERRO[1542] Update not allowed from IP                    error=ip_unauthorized

If I register without seting allowfrom, everything works fine:

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/register | python -m json.tool
{
    "allowfrom": [],
    "fulldomain": "ad53ddb7-38ad-42fd-9d65-854769764df0.auth.mydnsdomain.co.uk",
    "password": "rqSI-YHVf12jfw-FgkQzJrhyUJ_rU9E4_37WP_6h",
    "subdomain": "ab53ddb7-38ad-42fd-9d65-854769764da0",
    "username": "945b3pf0-cc24-4008-9c99-270b13534d4q"
}

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update \
-H "X-Api-User: 945b3pf0-cc24-4008-9c99-270b13534d4q" \
-H "X-Api-Key: rqSI-YHVf12jfw-FgkQzJrhyUJ_rU9E4_37WP_6h" \
--data '{"subdomain": "ab53ddb7-38ad-42fd-9d65-854769764da0", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "txt": "___validation_token_recieved_from_the_ca___"
}

Am I missing something here, or is it broken?

Originally created by @MrBMT on GitHub (Mar 1, 2018). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/45 Unless I'm doing something really stupid here, I don't seem to be able to be able to update domains when allowfrom has been set during registration. I use `ip addr` to retrieve all the CIDR ranges assigned to my server, then register as follows: ``` root@london ~ curl -s -X POST http://auth.mydnsdomain.co.uk:8080/register \ --data '{"allowfrom": ["127.0.0.1/8", "::1/128", "139.XXX.XXX.153/24", "192.XXX.XXX.197/17", "2a01:XXXX::XXXX:XXXX:XXXX:923d/64", "fe80::XXXX:XXXX:XXXX:923d/64"]}' | python -m json.tool { "allowfrom": [ "127.0.0.1/8", "::1/128", "139.XXX.XXX.153/24", "192.XXX.XXX.197/17", "2a01:XXXX::XXXX:XXXX:XXXX:923d/64", "fe80::XXXX:XXXX:XXXX:923d/64" ], "fulldomain": "1937e870-d239-4cb2-99b2-d1979c2608e3.auth.mydnsdomain.co.uk", "password": "54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ", "subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "username": "p0624f07-b4a7-4d61-8d28-4f7e63621952" } ``` *Note: IP addresses have been partially replaced with XXX/XXXX, the real values however are used for the commands.* I then attempt to update that sub-domain: ``` root@london ~ curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update \ -H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" \ -H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" \ --data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool { "error": "forbidden" } ``` However the update fails. acme-dns displays the following: ``` DEBU[1269] Created new user user=p0624f07-b4a7-4d61-8d28-4f7e63621952 ERRO[1542] Update not allowed from IP error=ip_unauthorized ``` If I register without seting allowfrom, everything works fine: ``` curl -s -X POST http://auth.mydnsdomain.co.uk:8080/register | python -m json.tool { "allowfrom": [], "fulldomain": "ad53ddb7-38ad-42fd-9d65-854769764df0.auth.mydnsdomain.co.uk", "password": "rqSI-YHVf12jfw-FgkQzJrhyUJ_rU9E4_37WP_6h", "subdomain": "ab53ddb7-38ad-42fd-9d65-854769764da0", "username": "945b3pf0-cc24-4008-9c99-270b13534d4q" } curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update \ -H "X-Api-User: 945b3pf0-cc24-4008-9c99-270b13534d4q" \ -H "X-Api-Key: rqSI-YHVf12jfw-FgkQzJrhyUJ_rU9E4_37WP_6h" \ --data '{"subdomain": "ab53ddb7-38ad-42fd-9d65-854769764da0", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool { "txt": "___validation_token_recieved_from_the_ca___" } ``` Am I missing something here, or is it broken?

kerem 2026-03-13 15:21:40 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-13 15:21:56 +03:00

Author

Owner

Copy link

@joohoi commented on GitHub (Mar 1, 2018):

All I can think of is using reverse proxy in front of acme-dns and / or corresponding configuration values of:

# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

For debugging reasons I think adding the IP address that we're matching against would be beneficial to have in the error message.

<!-- gh-comment-id:369604008 --> @joohoi commented on GitHub (Mar 1, 2018): All I can think of is using reverse proxy in front of acme-dns and / or corresponding configuration values of: ``` # use HTTP header to get the client ip use_header = false # header name to pull the ip address / list of ip addresses from header_name = "X-Forwarded-For" ``` For debugging reasons I think adding the IP address that we're matching against would be beneficial to have in the error message.

kerem commented 2026-03-13 15:22:01 +03:00

Author

Owner

Copy link

@MrBMT commented on GitHub (Mar 1, 2018):

Thanks for the quick reply!

# use HTTP header to get the client ip
use_header = false
# header name to pull the ip address / list of ip addresses from
header_name = "X-Forwarded-For"

Is how my configuration is currently set, I also tried switching use_header to true, but then quickly realised you could do something like this to bypass it, which completely defeats the point of enabling it in the first place:

curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update -H "X-Forwarded-For: 127.0.0.1" -H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" -H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" --data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool
{
    "txt": "___validation_token_recieved_from_the_ca___"
}

As you mentioned, putting a reverse proxy in front of it then setting the config that way is a potential workaround however.

I agree, having the IP address you're matching against in the debug message would definitely be very beneficial here.

Thanks for the work you've put in to this project by the way!

<!-- gh-comment-id:369609092 --> @MrBMT commented on GitHub (Mar 1, 2018): Thanks for the quick reply! ``` # use HTTP header to get the client ip use_header = false # header name to pull the ip address / list of ip addresses from header_name = "X-Forwarded-For" ``` Is how my configuration is currently set, I also tried switching `use_header` to true, but then quickly realised you could do something like this to bypass it, which completely defeats the point of enabling it in the first place: ``` curl -s -X POST http://auth.mydnsdomain.co.uk:8080/update -H "X-Forwarded-For: 127.0.0.1" -H "X-Api-User: p0624f07-b4a7-4d61-8d28-4f7e63621952" -H "X-Api-Key: 54mt4yLIRJZIXiK161jZghvuIxFz09Tj1sZY_vpZ" --data '{"subdomain": "1937d870-d239-4cb2-99b2-d1979q2608a3", "txt": "___validation_token_recieved_from_the_ca___"}' | python -m json.tool { "txt": "___validation_token_recieved_from_the_ca___" } ``` As you mentioned, putting a reverse proxy in front of it then setting the config that way is a potential workaround however. I agree, having the IP address you're matching against in the debug message would definitely be very beneficial here. Thanks for the work you've put in to this project by the way!

kerem commented 2026-03-13 15:22:06 +03:00

Author

Owner

Copy link

@joohoi commented on GitHub (Mar 1, 2018):

I just added logging for the IP address being matched in #46 . It's now available in master branch. This should help us to debug your issue.

<!-- gh-comment-id:369616842 --> @joohoi commented on GitHub (Mar 1, 2018): I just added logging for the IP address being matched in #46 . It's now available in `master` branch. This should help us to debug your issue.

kerem commented 2026-03-13 15:22:11 +03:00

Author

Owner

Copy link

@MrBMT commented on GitHub (Mar 1, 2018):

Awesome, thank you!

I just tried running the same request again, both on the server locally and from an external permitted location, and it seems the IP isn't being retrieved:

DEBU[0042] Checking if update is permitted from IP       ip="<nil>"
ERRO[0042] Update not allowed from IP                    error=ip_unauthorized
DEBU[0071] Checking if update is permitted from IP       ip="<nil>"
ERRO[0071] Update not allowed from IP                    error=ip_unauthorized

I'd assumed that when use_header was set to false it would use the IP address that the POST request was sent from, but is this perhaps not the case?

Cheers

<!-- gh-comment-id:369619408 --> @MrBMT commented on GitHub (Mar 1, 2018): Awesome, thank you! I just tried running the same request again, both on the server locally and from an external permitted location, and it seems the IP isn't being retrieved: ``` DEBU[0042] Checking if update is permitted from IP ip="<nil>" ERRO[0042] Update not allowed from IP error=ip_unauthorized DEBU[0071] Checking if update is permitted from IP ip="<nil>" ERRO[0071] Update not allowed from IP error=ip_unauthorized ``` I'd assumed that when `use_header` was set to `false` it would use the IP address that the POST request was sent from, but is this perhaps not the case? Cheers

kerem commented 2026-03-13 15:22:16 +03:00

Author

Owner

Copy link

@joohoi commented on GitHub (Mar 1, 2018):

This seems to be a bug indeed. acme-dns is supposed to use the request.RemoteAddr if use_header = false. I'll fix it in the coming days.

<!-- gh-comment-id:369628711 --> @joohoi commented on GitHub (Mar 1, 2018): This seems to be a bug indeed. acme-dns is supposed to use the request.RemoteAddr if `use_header = false`. I'll fix it in the coming days.

kerem referenced this issue 2026-03-13 16:13:19 +03:00

[PR #15] [MERGED] Go 1.9 and Iris v8, added possibility to bind to IP #244

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

fix_dockerhub

dockerhub

readme2.0

goreleaser_action

refactoring

linter_update_config

update_deps_122

dependabot/go_modules/github.com/valyala/fasthttp-1.34.0

deps_bump

update_goreleaser

update_golint

deps_update

update_dockerfile

v2.0.2

v2.0.1

v2.0

v1.1

v1.0

v0.8

v0.7.2

v0.7.1

v0.7

v0.6

v0.5

v0.4

v0.3.2

v0.3.1

v0.3

v0.2

v0.1

Labels

Clear labels   

Documentation

  

Documentation

  

bug

  

enhancement

  

feature request

  

feature request

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

security

  

security

  

testing

No labels

Documentation

Documentation

bug

enhancement

feature request

feature request

help wanted

pull-request

question

security

security

testing

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/acme-dns#15

No description provided.