coop-cloud/peertube
coop-cloud
/
peertube
generated from coop-cloud/example
1
0
Fork 1
Code Issues 2 Pull Requests Projects Releases Wiki Activity

Peertube does not understand the proper public IP address #7

New Issue
Closed
opened 2021-06-24 16:04:00 +00:00 by decentral1se · 6 comments
decentral1se commented 2021-06-24 16:04:00 +00:00
Owner
Copy Link

I am not sure this is an issue? It seems like it might be?

image

I am not sure this is an issue? It seems like it might be? ![image](/attachments/eaa55165-c156-43d3-a44e-77f66fd64d59)
image.png
43 KiB
mirsal commented 2021-07-15 15:12:22 +00:00
Member
Copy Link

That is odd, trust_proxy already contains the whole 10.0.0.0/8 block, see: https://git.autonomic.zone/coop-cloud/peertube/src/branch/main/compose.yml#L47

it looks like the PEERTUBE_TRUST_PROXY environment variable is not read or not taken into account

That is odd, `trust_proxy` already contains the whole `10.0.0.0/8` block, see: https://git.autonomic.zone/coop-cloud/peertube/src/branch/main/compose.yml#L47 it looks like the `PEERTUBE_TRUST_PROXY` environment variable is not read or not taken into account
decentral1se commented 2021-07-15 19:07:23 +00:00
Author
Owner
Copy Link

Thanks for looking at this. I see that it is still around in the codebase (via https://github.com/Chocobozzz/PeerTube/search?q=PEERTUBE_TRUST_PROXY) but I do remember having some issues with this. Is the [...] passed actually as a list to the config file? Maybe we should just hard code this in the file and not pass it via the env var?

Thanks for looking at this. I see that it is still around in the codebase (via https://github.com/Chocobozzz/PeerTube/search?q=PEERTUBE_TRUST_PROXY) but I do remember having some issues with this. Is the `[...]` passed actually as a list to the config file? Maybe we should just hard code this in the file and not pass it via the env var?
mirsal commented 2021-07-15 23:51:40 +00:00
Member
Copy Link

Is the [...] passed actually as a list to the config file?

afaiu, it is passed as a string to the config file and it is then parsed as a json list further down. I'll try and debug it asap.

Maybe we should just hard code this in the file and not pass it via the env var?

yeah, that would work, although I believe we should allow it to be overriden for anyone hosting behind a reverse proxy on the outside of the swarm.

> Is the [...] passed actually as a list to the config file? afaiu, it is passed as a string to the config file and it is then parsed as a json list further down. I'll try and debug it asap. > Maybe we should just hard code this in the file and not pass it via the env var? yeah, that would work, although I believe we should allow it to be overriden for anyone hosting behind a reverse proxy on the outside of the swarm.
🚀 1
mirsal commented 2021-07-16 20:28:51 +00:00
Member
Copy Link

Ok, so I just tested this and it works fine on a fresh VM, X-Forwarded-For is interpreted correctly, which means PEERTUBE_TRUST_PROXY is read properly.

It must be that you're coming through docker-proxy, which operates as a TCP reverse proxy and thus, cannot tell anything downstream about the client IP address.

In any case, peertube will only be able to get the client IP address if the client connects to traefik "directly" (without going through docker-proxy) which means in our case, using IPv4 and with traefik configured with TCP ports published in host-mode (called host mode networking in our traefik config).

I hope that doesn't make this even more confusing haha.

Ok, so I just tested this and it works fine on a fresh VM, `X-Forwarded-For` is interpreted correctly, which means `PEERTUBE_TRUST_PROXY` is read properly. It must be that you're coming through docker-proxy, which operates as a TCP reverse proxy and thus, cannot tell anything downstream about the client IP address. In any case, peertube will only be able to get the client IP address if the client connects to traefik "directly" (without going through docker-proxy) which means in our case, using IPv4 and with traefik configured with TCP ports published in host-mode (called host mode networking in our traefik config). I hope that doesn't make this even more confusing haha.
decentral1se commented 2021-07-17 08:59:47 +00:00
Author
Owner
Copy Link

Right yep, that makes sense! Thanks for testing it out. I was not using host mode networking in my setup. Should that be the recommended setup? As I see it from the warning given by Peertube, the consequences could be a pretty broken Peertube?

Right yep, that makes sense! Thanks for testing it out. I was not using host mode networking in my setup. Should that be the recommended setup? As I see it from the warning given by Peertube, the consequences could be a pretty broken Peertube?
mirsal commented 2021-07-17 09:14:49 +00:00
Member
Copy Link

Should that be the recommended setup?

I think so, yeah (also for performance reasons and to have traefik reachable from IPv6)

> Should that be the recommended setup? I think so, yeah (also for performance reasons and to have traefik reachable from IPv6)
👍 1
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
dev
4.0.0+v5.0.1-bullseye
3.0.0+v4.3.0-bullseye
2.2.0+v4.2.2-bullseye
2.1.1+v4.1.1-bullseye
2.1.0+v4.1.0-bullseye
2.0.0+v4.0.0-bullseye
1.0.0+v3.4.1-buster
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/peertube#7
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?