facebookarchive/doh-proxy

doh-httpproxy inside docker container: aiohttp_remotes.exceptions.UntrustedIP

Closed this issue · 2 comments

mritzmann commented

Hi! I'd like to use doh-httpproxy as a docker container. My docker file looks like this.

FROM python:latest

RUN apt-get update \
	&& apt-get -y upgrade \
	&& apt-get -y install dnsutils \
	&& apt-get -y install git \
#	&& pip3 install doh-proxy \
	&& pip3 install git+https://github.com/facebookexperimental/doh-proxy.git

EXPOSE 9000

ENTRYPOINT [ "doh-httpproxy", "--upstream-resolver=8.8.8.8", "--port", "9000", "--listen-address", "0.0.0.0" ]
  • Build with: docker build . --tag doh
  • Run with: docker run -p 127.0.0.1:9000:9000 -it doh

In front of that I have a Nginx Reverse Proxy with HTTPS. If I now test this with doh-stub, I get the following error from doh-httpproxy.

root@doh01 /home/doh # docker run -p 127.0.0.1:9000:9000 -it doh
======== Running on http://0.0.0.0:9000 ========
(Press CTRL+C to quit)
--- Logging error ---
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/x_forwarded.py", line 96, in middleware
    ip = remote_ip(self._trusted, ips)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/utils.py", line 54, in remote_ip
    check_ip(tr, ip)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/utils.py", line 67, in check_ip
    raise UntrustedIP(ip, trusted)
aiohttp_remotes.exceptions.UntrustedIP: (IPv4Address('172.17.0.1'), [IPv6Address('::1'), IPv4Address('127.0.0.1')])

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/logging/__init__.py", line 983, in emit
    msg = self.format(record)
  File "/usr/local/lib/python3.7/logging/__init__.py", line 829, in format
    return fmt.format(record)
  File "/usr/local/lib/python3.7/logging/__init__.py", line 569, in format
    record.message = record.getMessage()
  File "/usr/local/lib/python3.7/logging/__init__.py", line 331, in getMessage
    msg = msg % self.args
KeyError: 'expected'
Call stack:
  File "/usr/local/bin/doh-httpproxy", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/dohproxy/httpproxy.py", line 152, in main
    app, host=args.listen_address, port=args.port, ssl_context=ssl_context)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web.py", line 120, in run_app
    loop.run_forever()
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 523, in run_forever
    self._run_once()
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 1758, in _run_once
    handle._run()
  File "/usr/local/lib/python3.7/asyncio/events.py", line 88, in _run
    self._context.run(self._callback, *self._args)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 390, in start
    resp = await self._request_handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_app.py", line 366, in _handle
    resp = await handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_middlewares.py", line 106, in impl
    return await handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/x_forwarded.py", line 114, in middleware
    exc.log(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/exceptions.py", line 94, in log
    logger.error(msg, context, extra=extra)
Message: 'Untrusted IP: %(ip)s, trusted: %(expected)s'
Arguments: {'ip': IPv4Address('172.17.0.1'), 'trusted': [IPv6Address('::1'), IPv4Address('127.0.0.1')]}
--- Logging error ---
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/x_forwarded.py", line 96, in middleware
    ip = remote_ip(self._trusted, ips)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/utils.py", line 54, in remote_ip
    check_ip(tr, ip)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/utils.py", line 67, in check_ip
    raise UntrustedIP(ip, trusted)
aiohttp_remotes.exceptions.UntrustedIP: (IPv4Address('172.17.0.1'), [IPv6Address('::1'), IPv4Address('127.0.0.1')])

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/logging/__init__.py", line 983, in emit
    msg = self.format(record)
  File "/usr/local/lib/python3.7/logging/__init__.py", line 829, in format
    return fmt.format(record)
  File "/usr/local/lib/python3.7/logging/__init__.py", line 569, in format
    record.message = record.getMessage()
  File "/usr/local/lib/python3.7/logging/__init__.py", line 331, in getMessage
    msg = msg % self.args
KeyError: 'expected'
Call stack:
  File "/usr/local/bin/doh-httpproxy", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.7/site-packages/dohproxy/httpproxy.py", line 152, in main
    app, host=args.listen_address, port=args.port, ssl_context=ssl_context)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web.py", line 120, in run_app
    loop.run_forever()
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 523, in run_forever
    self._run_once()
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 1758, in _run_once
    handle._run()
  File "/usr/local/lib/python3.7/asyncio/events.py", line 88, in _run
    self._context.run(self._callback, *self._args)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 390, in start
    resp = await self._request_handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_app.py", line 366, in _handle
    resp = await handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_middlewares.py", line 106, in impl
    return await handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/x_forwarded.py", line 114, in middleware
    exc.log(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp_remotes/exceptions.py", line 95, in log
    logger.error(msg, context, extra=extra)
Message: 'Untrusted IP: %(ip)s, trusted: %(expected)s'
Arguments: {'ip': IPv4Address('172.17.0.1'), 'trusted': [IPv6Address('::1'), IPv4Address('127.0.0.1')]}

I am not good at Python, but the following seems to be important to me:

aiohttp_remotes.exceptions.UntrustedIP: (IPv4Address('172.17.0.1'), [IPv6Address('::1'), IPv4Address('127.0.0.1')])

AIOHTTP only allow requests from localhost.

Is this a bug of doh-httpproxy or a configuration error of mine?

chantra commented

From doh-httpproxy -h help page

 --trusted [TRUSTED [TRUSTED ...]]
                       Trusted reverse proxy list separated by space ['::1',
                       '127.0.0.1']. If you do not want to add a trusted
                       trusted reverse proxy, just specify this flag with
                       empty parameters.

From you error message, I would guess the incoming query from your reverse proxy is 172.17.0.1. You should whitelist it.

  • 👍3
mritzmann commented

Oops, thanks!