PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
yhimg opened this issue · 9 comments
Pre issue-raising checklist
I have already (please mark the applicable with an x):
- [ x ] Upgraded to the latest Pact Broker OR
- [ x] Checked the CHANGELOG to see if the issue I am about to raise has been fixed
- [ x] Created an executable example that demonstrates the issue using either a:
- Dockerfile
- Git repository with a Travis or Appveyor (or similar) build
Software versions
- pact-broker docker version: pact-broker-2.105.0.1
Expected behaviour
Able to access the Pact Broker successfully
Actual behaviour
Getting Forbidden while accessing Pact Broker with specified warning
Steps to reproduce
I have used the local docker image of pact-broker and configured it at port 80 and everything is working fine.
But now When I deployed the same image on org hosted staging environment I am getting an IPSpoofing warning and every pact-broker URL is throwing Forbidden even with GET requests.
Even heartbeat URL is sending Forbidden.
ERROR: W [18:puma srv tp 001] PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
nginx config:
PACT_BROKER_BASE_URL: https://org-env-stage-url/cdc-pactbroker/
PACT_BROKER_PORT: 80
PACT_BROKER_PUBLIC_HEARTBEAT : true
targetPort: 80
port: 80
In logs I can see that Pact broker is successfully deployed and connected to DB. But due to this error I am getting Forbidden for all URLs
Relevant log files
PactBroker::App -- Configuring Rack::Protection -- {:logger=>#<SemanticLogger::Logger:0x00007faf1530a220 @filter=nil, @name="PactBroker::App", @level_index=nil, @Level=nil>, :except=>[:path_traversal, :remote_token, :session_hijacking, :http_origin]}
PactBroker::App -- Mounting HAL browser
PactBroker::App -- Mounting UI
PactBroker::App -- Configuring Rack::Protection -- {:logger=>#<SemanticLogger::Logger:0x00007faf1530a220 @filter=nil, @name="PactBroker::App", @level_index=nil, @Level=nil>, :except=>[:path_traversal, :remote_token, :session_hijacking, :http_origin]}
PactBroker::App -- Mounting HAL browser
PactBroker::App -- Mounting UI
PactBroker::App -- Configuring Rack::Protection -- {:logger=>#<SemanticLogger::Logger:0x00007faf1530a220 @filter=nil, @name="PactBroker::App", @level_index=nil, @Level=nil>, :except=>[:path_traversal, :remote_token, :session_hijacking, :http_origin]}
PactBroker::App -- Mounting HAL browser
PactBroker::App -- Mounting UI
PactBroker::App -- Mounting PactBroker::API
PactBroker::App -- Mounting PactBroker::API
PactBroker::App -- Mounting PactBroker::API
PactBroker::App -- Configuring Rack::Protection -- {:logger=>#<SemanticLogger::Logger:0x00007faf1530a220 @filter=nil, @name="PactBroker::App", @level_index=nil, @Level=nil>, :except=>[:path_traversal, :remote_token, :session_hijacking, :http_origin]}
PactBroker::App -- Mounting HAL browser
PactBroker::App -- Mounting UI
PactBroker::App -- Mounting PactBroker::API
PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
PactBroker::App -- attack prevented by Rack::Protection::IPSpoofing
Please ensure you set logging to DEBUG and attach any relevant log files here (or link from a gist).
@bethesque
Oh thanks, will try this today. Not sure how I missed this issue. Today I was going to try the X-Forwarded-For headers configuration to resolve this. Now I'll also try turning off rack protection.
Will update the result here.
Thanks!
I'd recommend only disabling the ip spoofing. Keep as much of rack protection as possible.
But you should be able to configure your headers to fix the issue.
@bethesque Thanks I got it working and able to check the heartbeat successfully just by disabling the ipspoofing.
Now I am not able to publish the pacts to broker. getting error as:
Expected a HAL+JSON response from the pact broker, but got a response with no '_links'. URL: 'https://base-url/pact-broker/', LINK: 'pb:publish-pact'
I think now I have to work on X-Forward headers. Or is this issue related to something else?
Have you followed these instructions?
https://docs.pact.io/pact_broker/configuration/features#running-the-broker-behind-a-reverse-proxy
Also, what is the PACT_BROKER_BASE_URL env var set to for your Pact Broker?
Also, have you seen/copied this example?
https://github.com/pact-foundation/pact-broker-docker/blob/master/docker-compose.yml
@bethesque PACT_BROKER_BASE_URL is set to https://org-base-url/cdc-pactbroker. Also, we are not using nginx or any reverse proxy that's why not adding these headers. So still not sure how can I resolve this?
@bethesque Also 1 thing to add:
If I try to publish the pact via postman/cURL
curl --location --request PUT 'https://org-base-url/cdc-pactbroker/pacts/provider/provider-name/consumer/consumer-name/version/version-SNAPSHOT' \ --header 'Content-Type: application/json' \ --data-binary '@/Users/path-to-pact/target/pacts/consumer-service-provider-service.json'
Same publish I am not able to do via Maven plugin
<plugin>
<groupId>au.com.dius.pact.provider</groupId>
<artifactId>maven</artifactId>
<version>4.1.0</version>
<configuration>
<pactDirectory>target/pacts</pactDirectory>
<pactBrokerUrl>https://org-base-url/cdc-pactbroker/</pactBrokerUrl>
<serviceProviders>
<provider>provider-service</provider>
</serviceProviders>
</configuration>
</plugin>
error:
Expected a HAL+JSON response from the pact broker, but got a response with no '_links'. URL: 'https://org-base-url/pact-broker/', LINK: 'pb:publish-pact'
@bethesque Its resolved. I think I was using the maven plugin wrong.
Closing this issue. Thanks for the help!!