Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] "denied access from blacklist: IP is in cached blacklist" but the IP is not in any blacklists #1677

Open
2 tasks done
Ablablab opened this issue Nov 10, 2024 · 5 comments
Labels
bug Something isn't working

Comments

@Ablablab
Copy link

What happened?

Hello, thank you for the effort in this fantastic project!

I think that I found a bug, or I can't understand the source of the block.
I'm using bunkerweb with multisite configuration, using one docker-compose file that points to different ip-port and I have the blacklist feature enabled.
When I try to reach my webpage from my mobile phone using carrier network I got a 403, and looking into the logs I see that my IP is in cached blacklist and my access was denied. The problem is that the IP is not in blacklist, neither in the cache of bunkerweb that i can access through the GUI in cache section.

The IP is not personal, is one of the IP used by my carrier so I can post it: 5.91.150.116
You can check, it's not in any lists at the moment and it is considered an italian IP (I've enabled Country whitelist).

This is the cached blacklist ip file downloaded by gui:
blacklist.txt

How to reproduce?

you have to leave the default value on BLACKLIST_IP_URLS and USE_BLACKLIST.
After that you have to use the public IP 5.91.150.116.

The bunkerweb proxy will respond you 403.

Configuration file(s) (yaml or .env)

Docker compose file:
`
version: '3.5'

services:
  bunkerweb:
    restart: always
    image: bunkerity/bunkerweb:1.5.11
    ports:
      - 80:8080
      - 443:8443
    labels:
      - "bunkerweb.INSTANCE=yes"
    environment:
      - SERVER_NAME=***mysite***.dyndns.org bunkerweb.***mysite***.dyndns.org 
      - MULTISITE=yes
      - LOG_LEVEL=notice
      - API_WHITELIST_IP=127.0.0.0/8 10.21.30.0/24
      - SEND_ANONYMOUS_REPORT=no
      #When set to yes, the Bad behavior feature will be enabled.
      - USE_BAD_BEHAVIOR=yes
      #List of HTTP status codes considered as suspicious
      - BAD_BEHAVIOR_STATUS_CODES=400 401 403 404 405 429 444
      #The duration time (in seconds) of a ban when a client reached the threshold
      - BAD_BEHAVIOR_BAN_TIME=3600
      #Maximum number of suspicious HTTP status codes within the time period
      - BAD_BEHAVIOR_THRESHOLD=60
      #Period of time where we count suspicious HTTP status codes
      - BAD_BEHAVIOR_COUNT_TIME=120

      - ***mysite***.dyndns.org_AUTO_LETS_ENCRYPT=yes
      - ***mysite***[email protected]
      - ***mysite***.dyndns.org_USE_LETS_ENCRYPT_STAGING=no
      - ***mysite***.dyndns.org_USE_REVERSE_PROXY=yes
      - ***mysite***.dyndns.org_REVERSE_PROXY_HOST=http://dashmachine:5000
      - ***mysite***.dyndns.org_REDIRECT_HTTP_TO_HTTPS=yes
      - ***mysite***.dyndns.org_WHITELIST_COUNTRY=IT


      - bunkerweb.***mysite***.dyndns.org_AUTO_LETS_ENCRYPT=yes
      - bunkerweb.***mysite***[email protected]
      - bunkerweb.***mysite***.dyndns.org_USE_LETS_ENCRYPT_STAGING=no
      - bunkerweb.***mysite***.dyndns.org_USE_UI=yes
      - bunkerweb.***mysite***.dyndns.org_USE_REVERSE_PROXY=yes
      - bunkerweb.***mysite***.dyndns.org_REVERSE_PROXY_HOST=http://bw-ui:7000
      - bunkerweb.***mysite***.dyndns.org_REDIRECT_HTTP_TO_HTTPS=yes
      - bunkerweb.***mysite***.dyndns.org_INTERCEPTED_ERROR_CODES=400 404 405 413 429 500 501 502 503 504
      - bunkerweb.***mysite***.dyndns.org_WHITELIST_IP=192.168.1.0/24 10.21.30.0/24
      - bunkerweb.***mysite***.dyndns.org_BLACKLIST_IP=0.0.0.0/0

       
    networks:
      - bw-universe
      - bw-services

  bw-scheduler:
    restart: always
    image: bunkerity/bunkerweb-scheduler:1.5.11
    depends_on:
      - bunkerweb
      - bw-docker
    volumes:
      - bw-data:/data
    environment:
      - DOCKER_HOST=tcp://bw-docker:2375
    networks:
      - bw-universe
      - bw-docker

  bw-docker:
    restart: always
    image: tecnativa/docker-socket-proxy:nightly
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      - CONTAINERS=1
      - LOG_LEVEL=warning
    networks:
      - bw-docker

  bw-ui:
    image: bunkerity/bunkerweb-ui:1.5.11
    restart: always
    depends_on:
      - bw-docker
    volumes:
      - bw-data:/data
    environment:
      - DOCKER_HOST=tcp://bw-docker:2375
      - ADMIN_USERNAME=zzzzzzzzzzzzzzzzzz
      - ADMIN_PASSWORD=zzzzzzzzzzzzzzzzzzzzz
    networks:
      - bw-universe
      - bw-docker

  dashmachine:
    image: rmountjoy/dashmachine:latest
    restart: always
    volumes:
      - /opt/services/dashmachine:/dashmachine/dashmachine/user_data 
    networks:
      - bw-services

volumes:
  bw-data: 
    #source: /opt/services/bunkerweb/bw-data
    #type: bind
      

networks:
  bw-universe:
    name: bw-universe
    ipam:
      driver: default
      config:
        - subnet: 10.21.30.0/24
  bw-services:
    name: bw-services
    #driver: bridge
  bw-docker:
    name: bw-docker
`

Relevant log output

the error from the log is:
`
bunkerweb_1     | 2024/11/10 21:47:34 [warn] 644#644: *1718 [ACCESS] denied access from blacklist : IP is in cached blacklist (info : ip), client: 5.91.150.116, server: ***mysite***.dyndns.org, request: "GET / HTTP/2.0", host: "***mysite***.home.dyndns.org"
bunkerweb_1     | ***mysite***.dyndns.org 5.91.150.116 - - [10/Nov/2024:21:47:34 +0000] "GET / HTTP/2.0" 403 184240 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Mobile Safari/537.36"
bunkerweb_1     | 2024/11/10 21:47:34 [notice] 644#644: *1719 [BADBEHAVIOR] increased counter for IP 5.91.150.116 (1/60), context: ngx.timer, client: 5.91.150.116, server: 0.0.0.0:8443
bunkerweb_1     | 2024/11/10 21:47:34 [notice] 644#644: signal 17 (SIGCHLD) received from 1288
bunkerweb_1     | 2024/11/10 21:47:34 [notice] 644#644: unknown process 1288 exited with code 0

bunkerweb_1     | 2024/11/10 21:47:34 [error] 644#644: *1720 [BUNKERNET] can't report IP : status code != 200, context: ngx.timer, client: 5.91.150.116, server: 0.0.0.0:8443
`

BunkerWeb version

1.5.11

What integration are you using?

Docker

Linux distribution (if applicable)

Ubuntu

Removed private data

  • I have removed all private data from the configuration file and the logs

Code of Conduct

  • I agree to follow this project's Code of Conduct
@Ablablab Ablablab added the bug Something isn't working label Nov 10, 2024
@TheophileDiot
Copy link
Member

Hi @Ablablab, thank you for this issue. We'll have a look into it and let you know

@TheophileDiot
Copy link
Member

Hi @Ablablab, I couldn't reproduce the issue you encountered. Is this still occurring ?

@Ablablab
Copy link
Author

Hi @Ablablab, I couldn't reproduce the issue you encountered. Is this still occurring ?

Yes it's still present and I found it in another instance of bunkerweb (my father's home). I found that a lot of requests from my mobile phone carrier are blacklisted even if the public IP is not in the ban list

@TheophileDiot
Copy link
Member

Hi @Ablablab, by any chance isn't it related to DNSBL ? Often phone carrier IPs are being flagged in DNSBL servers.
https://docs.bunkerweb.io/latest/security-tuning/#dnsbl

@Ablablab
Copy link
Author

Ablablab commented Dec 3, 2024

How can I check it? Is it on cached files on bunkerweb GUI?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants