Labels Milestones

New Issue

ACME.challengeTests connects with the external domain and ip address - won't work behind secure routers #32

Open

by Ghost opened 4 years ago · 2 comments

Ghost commented 4 years ago

There should be a way to pass the localhost as the host to test.
What happens when loopback is not enabled in the router, is that the whole greenlock-cli fails due to the test emitting an ECONNREFUSED.
And in most cases loopback should not be enabled in the router as it's a security hole allowing an attacker to spoof the packet's source.

There should be a way to pass the localhost as the host to test. What happens when loopback is not enabled in the router, is that the whole greenlock-cli fails due to the test emitting an ECONNREFUSED. And in most cases loopback should not be enabled in the router as it's a security hole allowing an attacker to spoof the packet's source.

coolaj86 commented 4 years ago

Owner

You've got a compound problem there.

Either the router should be properly configured with hairpinning, or it should be properly configured without hairpinning. It should not be half configured.

• Without hairpinning the request should work just the same as any other request - it goes out to external DNS servers, gets the external IP, makes a request out to the external IP that comes back in through the NAT of the router.

• With proper hairpinning the request should be rewritten by the router and turned back on itself.

That said, you can update /etc/hosts to get the localhost behavior that you desire... it just defeats the purpose of the test, which is to check that an outside source can properly get inside.

You've got a compound problem there. Either the router should be properly configured with hairpinning, or it should be properly configured without hairpinning. It should not be _half_ configured. - Without hairpinning the request should work just the same as any other request - it goes out to external DNS servers, gets the external IP, makes a request out to the external IP that comes back in through the NAT of the router. - With proper hairpinning the request should be rewritten by the router and turned back on itself. That said, you can update `/etc/hosts` to get the localhost behavior that you desire... it just defeats the purpose of the test, which is to check that an outside source can properly get inside.

Ghost commented 4 years ago

Well, the point of “hairpinning” is to create a loopback that will circumvent the problem that occurs without it.
And without it, the packets that are meant for the machines behind the NAT are received by the router with the inbound ip being a local ip. Any secure enough router will drop those- as it can easily be an attack.

There’s a specific vulnerability that my CSP pointed me to, in order to convince me not to set this up- this is something unpublished yet. Should probably be published soon. And it looked bad enough to convince me anyone could fool the router by crafting the packets with simple tools.

Now in some configurations it may be complicated or undesired to modify hosts for this purpose. That’s why I think a flag in the configuration to toggle this off will be great!

Also it’s common to use external tools in order to check for external ip address, external access etc. As internal access != external access.

I think that for the very least- it should not fail on this check, but throw a warning that will be used for diagnostics if the whole process fails.

Well, the point of “hairpinning” is to create a loopback that will circumvent the problem that occurs without it. And without it, the packets that are meant for the machines behind the NAT are received by the router with the inbound ip being a local ip. Any secure enough router will drop those- as it can *easily* be an attack. There’s a specific vulnerability that my CSP pointed me to, in order to convince me not to set this up- this is something unpublished yet. Should probably be published soon. And it looked bad enough to convince me anyone could fool the router by crafting the packets with simple tools. Now in some configurations it may be complicated or undesired to modify `hosts` for this purpose. That’s why I think a flag in the configuration to toggle this off will be great! Also it’s common to use *external* tools in order to check for external ip address, external access etc. As internal access != external access. I think that for the very least- it should not **fail** on this check, but throw a warning that will be used for diagnostics if the whole process fails.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

browser-v2

errors

master

skip-valid-challenge

v1

v2

v3

wip-v3

v0.0.2

v0.6.0

v0.6.1

v0.6.2

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.0.5

v1.0.6

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.3.0

v1.3.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.7.1

v1.7.2

v1.7.3

v1.7.5

v1.7.6

v1.7.7

v1.8.0

v1.8.1

v1.8.2

v1.8.4

v1.8.5

v1.8.6

v3.0.1

v3.0.10

v3.0.2

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

Labels

Apply labels

Clear labels

No items

No Label

Milestone

Set milestone

Clear milestone

No items

No Milestone

Assignees

Assign users

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Write Preview

Loading…

Cancel

Save

There is no content yet.