Unable to Access Teku REST API from Local Network Client #8567
Comments
|
Hey - thanks for raising this, we'll take a look and see if we can reproduce it... |
|
This got interesting. I ended up talking to the software team creating the HTTP server we use, because it seemed at odds with documented behaviour. Technically, we referenced the http context context also has The logic is also more limited perhaps than it seems. While we do allow '*' to allow literally from any IP, we don't use it as a mask, so After my change, you'll at least be able to specify that 192.168.1.11 can call to the server on 192.68.1.12, so that's a great improvement, but for subnet filtering like you'd find in firewalls, i'd suggest using your hosts firewall in preference to this relatively simple allow list that we've provided. In the short term, you could potentially allow '*' and then control actual access via firewall rules, this is the only real workaround I have to offer... |
it appears that at least in currently documented behaviour that we were filtering on server address not client address, which made it hard to reason about. fixes Consensys#8567 Signed-off-by: Paul Harris <paul.harris@consensys.net>
No - it should be the server address; that is correct. The clue is in
It is exactly the intent. The rest API host allowlist is for protection against DNS rebinding attacks. You need to list any hostnames and IP addresses that your Teku node is known by on the network, so CIDR and In this specific case, @HannesZ should use something like since ETA: If I recall correctly, this protection can be switched off by using |
|
Yes, that works. Thanks also for the clarification! |
|
hrm ok - I stand corrected! Thanks @benjaminion ! I'll close the PR. |
|
Might be a good time to improve the docs for this. The Besu equivalent docs are equally as bad. |
Description
I am attempting to use the Teku REST API from a machine within my local network but different from the one running the Teku client. By default, the REST API access is restricted, so I have been trying to configure the Teku settings to allow access from within the local network.
Steps to Reproduce (Bug)
Setup details:
--rest-api-enabled=true
ufw status for port 5051 is allowed on the Teku machine
I can successfully ping from the client machine to the Teku machine and back
--rest-api-host-allowlist=* (This works, but it exposes the API globally, which I want to avoid)
Attempted configuration (preferred solution):
teku --rest-api-enabled=true \ --rest-api-interface=0.0.0.0 \ --rest-api-port=5051 \ --rest-api-host-allowlist=192.168.1.*,localhost,127.0.0.1Additional attempts (all unsuccessful):
--rest-api-host-allowlist=192.168.1.0/24,localhost,127.0.0.1--rest-api-host-allowlist=192.168.1.111,localhost,127.0.0.1(allowing only the specific client machine)--rest-api-host-allowlist=my_host,localhost,127.0.0.1(wheremy_hostis the result ofhostnameon the client machine)Expected behavior:
Get a result when running the following (or similar) on the client machine:
curl http://192.168.1.112:5051/eth/v1/beacon/states/head/validators?status=pending_queuedActual behavior:
These configuration run without any errors, but from the client machine, I receive the following error when trying to access the API:
{ "title": "Host not authorized", "status": 403, "type": "https://javalin.io/documentation#forbiddenresponse", "details": {} }Versions
24.8.0Ubuntu 24.04 LTSThe text was updated successfully, but these errors were encountered: