coolaj86
/
acme.js-ARCHIVED
2
1
派生 0
代码 工单 4 合并请求 3 版本发布 动态

ACME.challengeTests connects with the external domain and ip address - won't work behind secure routers #32

创建工单
开启中
由 Ghost 于 2020-08-24 04:30:36 +00:00 打开 · 2 评论
Ghost 评论于 2020-08-24 04:30:36 +00:00
复制链接

There should be a way to pass the localhost as the host to test.
What happens when loopback is not enabled in the router, is that the whole greenlock-cli fails due to the test emitting an ECONNREFUSED.
And in most cases loopback should not be enabled in the router as it's a security hole allowing an attacker to spoof the packet's source.

There should be a way to pass the localhost as the host to test. What happens when loopback is not enabled in the router, is that the whole greenlock-cli fails due to the test emitting an ECONNREFUSED. And in most cases loopback should not be enabled in the router as it's a security hole allowing an attacker to spoof the packet's source.
coolaj86 评论于 2020-09-21 18:40:59 +00:00
管理员
复制链接

You've got a compound problem there.

Either the router should be properly configured with hairpinning, or it should be properly configured without hairpinning. It should not be half configured.

  • Without hairpinning the request should work just the same as any other request - it goes out to external DNS servers, gets the external IP, makes a request out to the external IP that comes back in through the NAT of the router.

  • With proper hairpinning the request should be rewritten by the router and turned back on itself.

That said, you can update /etc/hosts to get the localhost behavior that you desire... it just defeats the purpose of the test, which is to check that an outside source can properly get inside.

You've got a compound problem there. Either the router should be properly configured with hairpinning, or it should be properly configured without hairpinning. It should not be _half_ configured. - Without hairpinning the request should work just the same as any other request - it goes out to external DNS servers, gets the external IP, makes a request out to the external IP that comes back in through the NAT of the router. - With proper hairpinning the request should be rewritten by the router and turned back on itself. That said, you can update `/etc/hosts` to get the localhost behavior that you desire... it just defeats the purpose of the test, which is to check that an outside source can properly get inside.
Ghost 评论于 2020-09-22 04:53:10 +00:00
作者
复制链接

Well, the point of “hairpinning” is to create a loopback that will circumvent the problem that occurs without it.
And without it, the packets that are meant for the machines behind the NAT are received by the router with the inbound ip being a local ip. Any secure enough router will drop those- as it can easily be an attack.

There’s a specific vulnerability that my CSP pointed me to, in order to convince me not to set this up- this is something unpublished yet. Should probably be published soon. And it looked bad enough to convince me anyone could fool the router by crafting the packets with simple tools.

Now in some configurations it may be complicated or undesired to modify hosts for this purpose. That’s why I think a flag in the configuration to toggle this off will be great!

Also it’s common to use external tools in order to check for external ip address, external access etc. As internal access != external access.

I think that for the very least- it should not fail on this check, but throw a warning that will be used for diagnostics if the whole process fails.

Well, the point of “hairpinning” is to create a loopback that will circumvent the problem that occurs without it. And without it, the packets that are meant for the machines behind the NAT are received by the router with the inbound ip being a local ip. Any secure enough router will drop those- as it can *easily* be an attack. There’s a specific vulnerability that my CSP pointed me to, in order to convince me not to set this up- this is something unpublished yet. Should probably be published soon. And it looked bad enough to convince me anyone could fool the router by crafting the packets with simple tools. Now in some configurations it may be complicated or undesired to modify `hosts` for this purpose. That’s why I think a flag in the configuration to toggle this off will be great! Also it’s common to use *external* tools in order to check for external ip address, external access etc. As internal access != external access. I think that for the very least- it should not **fail** on this check, but throw a warning that will be used for diagnostics if the whole process fails.
登录 并参与到对话中。
分支/标记未指定
分支列表 标签列表
master
v3
v1
wip-v3
browser-v2
errors
v2
skip-valid-challenge
v3.0.10
v3.0.9
v3.0.8
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.2
v3.0.1
v1.8.6
v1.8.5
v1.8.4
v1.8.2
v1.8.1
v1.8.0
v1.7.7
v1.7.6
v1.7.5
v1.7.3
v1.7.2
v1.7.1
v1.6.0
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.3.1
v1.3.0
v1.2.1
v1.2.0
v1.1.1
v1.1.0
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v0.6.2
v0.6.1
v0.6.0
v0.0.2
标签
清除选中标签
无可选项
未选择标签
里程碑
取消选中里程碑
无可选项
未选择里程碑
指派成员
取消指派成员
未指派成员
2 名参与者
通知
到期时间
到期日期无效或超出范围。请使用 'yyyy-mm-dd' 格式。

未设置到期时间。

依赖工单

没有设置依赖项。

参考:coolaj86/acme.js-ARCHIVED#32
没有提供说明。
删除分支 %!s(<nil>)

删除分支是永久的。虽然已删除的分支在实际被删除前有可能会短时间存在,但这在大多数情况下无法撤销。是否继续?