REST interface returning 403 with "Host not permitted"

[nc-williambr]

Building from scratch using Alpine Linux 3.21 as a base. When attempting to access the web UI, I get a 403 error and the text "Host not permitted". The web UI does not appear to log anything. Any help in debugging this?

[nc-williambr]

FWIW, my Dockerfile follows

FROM alpine:3.21

ENV OXIDIZED_HOME=/etc/oxidized
ENV PATH="/usr/local/bin:${PATH}"
ENV GEMSPATH=/usr/lib/ruby/gems/3.3.0
ENV OXIDIZED_VERSION=0.31.0

RUN set -eux; \
  apk --update add --no-cache \
    ruby \
        ruby-rugged \
        ruby-dev \
        g++ \
        cmake \
        make \
        openssl-dev \
        libssh2 \
        icu-dev \
        icu-libs \
        zlib-dev \
        msmtp \
        bash \
        git \
      linux-headers \
  ; \
  apk upgrade; \
  gem install -V --no-document --no-wrappers --conservative --minimal-deps \
    oxidized \
    oxidized-web \
  ; \
  apk del \
    ruby-dev \
        g++ \
        cmake \
        make \
        openssl-dev \
        icu-dev \
        zlib-dev \
      linux-headers \
  ; \
  mkdir $OXIDIZED_HOME; \
  ln -s $GEMSPATH/gems/oxidized-$OXIDIZED_VERSION/extra/oxidized-report-git-commits /usr/bin/oxidized-report-git-commits; \
  find $GEMSPATH/cache -mindepth 1 -delete

# Default oxidized-web port
EXPOSE 8888

CMD ["oxidized"]

# https://github.com/opencontainers/image-spec/blob/master/annotations.md
LABEL org.opencontainers.image.authors="Will Brickles" \
      org.opencontainers.image.title="oxidized" \
      org.opencontainers.image.description="software to backup network switch configurations" \
      org.opencontainers.image.version="${OXIDIZED_VERSION}"

[pierre-guillot]

Hi,

I have the same problem with my debian install.
Just update my Oxidized setup who works with a lighttpd.

Interesting thing, I can connect to the interface directely from the server with this command : "lynx 127.0.0.1:8888".

Can change the listen port of puma by modify this file : /var/lib/gems/3.1.0/gems/oxidized-0.31.0/lib/oxidized/config.rb

[ydeKKgroup]

Hi,

Same comportement. I can access directly to the IP:Port of the server, but when i use reverse proxy front of service i get a 403 from puma web server .

It's seem to be related as the usage of reverse proxy , may missing some headers ?

any help would be great .

[justorsil]

Hi,
Same issue with a fresh install on debian 12.
I can access directly to the IP:Port but access don't work with the fqdn resolution, "Host not permitted".

• oxidized (0.31.0, 0.26.3)
• oxidized-script (0.6.0)
• oxidized-web (0.14.0)
• puma (6.4.3)

Thanks a lot

[robertcheramy]

Please post the rest_api part of your config file.
It should be rest: 0.0.0.0:8888.

[nc-williambr]

Confirmed

rest: 0.0.0.0:8888

As others have mentioned, I am also using a reverse proxy (nginx) in front of my install to add TLS support and authentication.

Based on the other comments, it appears to be some issue when forwarding from any reverse proxy, as I see people mentioning lighttpd, puma, and nginx.

[robertcheramy]

I've just tested nginx (debian bookworm) + official oxidized container (running with podman) + basic authentication (Oxidized-web v.0.14.0, Oxidized v.0.31.0), and it works fine.

I suppose that you have a configuration problem on your proxy.

My nginx code:

    location /node/ {
        auth_basic "Restricted Area";
        auth_basic_user_file .htpasswd;
        proxy_pass http://127.0.0.1:8888;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

[chris240189]

Building from scratch using Alpine Linux 3.21 as a base. When attempting to access the web UI, I get a 403 error and the text "Host not permitted". The web UI does not appear to log anything. Any help in debugging this?

I did an upgrade of ubuntu from a working 22.04 to 24.04 with the exact same issue. You are not alone in this.

[xpiety]

Same here, upgrade to ubuntu 24.04 and now "Host not permitted".

[scarygary]

For anyone else trying to get oxidized running on Ubuntu 24.04 through a reverse proxy. Here's my workaround.

Edit the file /var/lib/gems/3.2.0/gems/oxidized-web-0.14.0/lib/oxidized/web/webapp.rb and add the line
set :host_authorization, { permitted_hosts: [] }
right below the existing line that says
set :haml, { escape_html: false }

Save the file and restart oxidized and you should be good to go.

[pierre-guillot]

Confirm that works on Debian: I edited the file /var/lib/gems/3.1.0/gems/oxidized-web-0.14.0/lib/oxidized/web/webapp.rb like this :

Thank for the solution 👍

[nc-williambr]

Adding:

set :host_authorization, { permitted_hosts: [] }

worked for me as well. Thanks @scarygary! Any idea what triggered this?

[scarygary]

Adding:

set :host_authorization, { permitted_hosts: [] }

worked for me as well. Thanks @scarygary! Any idea what triggered this?

Not exactly sure, since I'm not a coder. The web application/api in Oxidized is built using Sinatra and that in turn is using Rack::Protection to protect against typical web attacks. Somewhere along the way I guess an update started requiring a list of allowed hosts. The line I added allows all hosts to connect and since I'm using a reverse proxy to add tls and authentication I really don't see this as a security issue. Besides, the interface is only available locally anyway.

You can find info on Sinatra as well as Rack::Protection at https://github.com/sinatra/

[nc-williambr]

I added an issue in ytti/oxidized-web to hopefully get this added there.

[robertcheramy]

I am still not been able to reproduce :-(

Can someone test starting oxidized with APP_ENV=production oxidized (or set the env variable APP_ENV=production)? This should solve the problem.

[robertcheramy]

After a few hours spend on this issue, I still cannot reproduce it. I will not work on it until I am provided with information which permit me to reproduce:

• how was oxidized installed (exact instructions how to install, not only "installed on debian"). If using a custom Dockerfile, please provide a working one (the Dockerfile above produces an error).
• oxidized configuration file
• how is oxidized accessed to (directly on localhost with a browser, or from another host or through a proxy), inclusive exact URL used
• when a proxy is used, which proxy, how was it installed and configuration of the proxy, IP-Addresses, DNS Names and Ports used.

[athompson-merlin]

@robertcheramy in my environment (Ubuntu 24.04.1 LTS, 100% by-the-book install with rest: 127.0.0.1:8888 changed to rest: 0.0.0.0:8080), and what makes the difference is accessing it from a browser using an IP address vs. using a hostname.
If I navigate to http://10.252.2.115:8080/ everything works fine. If I use any hostname at all that resolves to that IP, i.e. http://oxidized.mbnw:8080 then I get the 403 "host not permitted" error.

The key difference is the new handling of Host: HTTP headers in Sinatra (and a few other web frameworks). FWIW, I've run into this in multiple apps, not just Oxidized. Huge PITA when it's not internet-facing and you don't WANT that kind of protection.

[athompson-merlin]

@robertcheramy Yes, setting APP_ENV=production appears to resolve (or bypass) the issue. That's an adequate workaround for now, but it's a bit bizarre - my understanding of how the web frameworks work is that this should CAUSE the problem, not solve it!

[michaeljbailey]

After a few hours spend on this issue, I still cannot reproduce it. I will not work on it until I am provided with information which permit me to reproduce:

• how was oxidized installed (exact instructions how to install, not only "installed on debian"). If using a custom Dockerfile, please provide a working one (the Dockerfile above produces an error).
• oxidized configuration file
• how is oxidized accessed to (directly on localhost with a browser, or from another host or through a proxy), inclusive exact URL used
• when a proxy is used, which proxy, how was it installed and configuration of the proxy, IP-Addresses, DNS Names and Ports used.

I am not yet in a position where I can easily upload the repro (I promise I will with a gist! I just got this working while I was labbing it on my cell phone)

Long story short: I took the original Dockerfile from this repo, retargeted it against Debian 13 with S6 Overlay as the service manager.

The rest of the Dockerfile file is "functionally identical", just reorganized to minimize intermediate build layers (I'll toss a PR here later for the team to consider).

The biggest difference is two things:

• I'm using Debian 13 as the base image
• I had to switch from ruby-net-ftp to libruby3.3 since the former is now a virtual package under the latter.

I'll try to work back and apply those (2) changes against the original Dockerfile to confirm my layer-minimizing changes didn't induce it.

Either that, or I'll just dump my build environment up here for you to try to repro.