-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
public IP wget/curl dumps html into shell #694
Comments
Is it still happening right now? What is your server's ISP? |
yes, happening right now. ISP is super specific and only serves the one small city, so I'm not willing to divulge that this openly. FQDN is daviddaily.dev |
the following all return the correct public IP:
|
Well, with that FQDN you did reveal the specific ISP, I guess. The AS has 6400 originated IPv4 so you probably shouldn't worry too much, but it's irrelevant, I only wanted to know if it was a big ISP. Okay, about your issue:
|
Yeah, it did, but there's a bit more effort involved there than just reading it here. result of
Accessing https://www.akamai.com/ from Replacing it did solve the issue. Just thought you might want to be aware that it doesn't always work. |
Yeah, your ISP is probably intercepting that request, So I'll not change the service, but thanks for the report anyway. |
sounds good, have a great day! |
Hello, I have the same issue. In my case, it dumps the HTML of localhost (local running Apache2 web server, default web page is shown) in the shell. I can confirm because if I stop Apache2, no HTML will be dumped. I guess it tries to connect to my public IP/hostname or something with curl and thus dumps the HTML of my web server? I verified that there was no dumping when using the script from commit 1c79a96 (last known version that does not dump contents). So, some change between then and now causes dumping. Additional info: My hostname is in Thanks. |
@sindastra please provide the output of the following command (run it from your server): If possible, please also let me know which internet provider is that server connected to. This is very likely an issue with the server network. |
- Fix #694: added sanitization during the public IP address configuration and switch to AWS checkip since the Akamai service doesn't support HTTPS. - Add validation to cover an unlikely case where: server is behind NAT, checkip service is unreachable and user doesn't provide input when asked for the public IP address or hostname. - Other small improvements not worth describing in detail.
Hello, I investigated this now and found that you were right that it is indeed a network issue! I run my own DNS servers which incorporate filter lists. In one of them ( On a side-note |
First of all, thanks for the detailed report. Considering this is the default behavior in a popular piece of software, it was a good idea to drop the Akamai service. I however didn't consider a new issue yesterday which I inadvertently introduced: working over HTTPS, the new checkip service will not work in systems where the It is a simple issue, but our requirements for a checkip service are not that easy:
I'll see this afternoon if I can reach a middle ground, probably a different service can be used over HTTP. |
🔐 About using HTTPS: I agree that it's not needed since it just returns the IP, which is already "public information" as the request happens. The only argument could be to avoid manipulation or redirects (for example a HTTP proxy in between). 🤔 While I do believe CentOS, Debian and Ubuntu should have ca-certificates, chances are that Debian and CentOS minimal do not. However, I do not know. But you could probably check if it's included in default installations. ↪️ About using another service: If you don't mind doing a bit of parsing, have you seen 📜 The official documentation is here https://help.dyn.com/remote-access-api/checkip-tool/ 👎 I never liked that their response is wrapped in HTML. It's madness in my opinion. 😆 |
Yes, because chances of a proxy are smaller compared to my other worries, like certificate validation failing.
Doesn't matter, there are other situations like OpenVZ templates and custom images from cloud providers. The package is just not there anyway.
See? They will trust whatever gets passed to them instead of printing the real remote address. This is commonplace in many services and maybe I should stop caring about it, but it is not right and the administrators of those very popular services seem to be unwilling to fix their load balancers which are causing this issue. |
✅ OK, I found one that does not use HTML and does not care about the 📜 Documentation: https://www.noip.com/integrate/ip-detection |
That is an excellent find which satisfies all of our requirements. Thank you! |
- Fix Nyr#694: added sanitization during the public IP address configuration and switch to AWS checkip since the Akamai service doesn't support HTTPS. - Add validation to cover an unlikely case where: server is behind NAT, checkip service is unreachable and user doesn't provide input when asked for the public IP address or hostname. - Other small improvements not worth describing in detail.
get_public_ip=$(wget -4qO- "http://whatismyip.akamai.com/" || curl -4Ls "http://whatismyip.akamai.com/")
https://github.com/Nyr/openvpn-install/blob/master/openvpn-install.sh#L233
This dumps 503 unavailable HTML into the shell: https://asciinema.org/a/288522
The text was updated successfully, but these errors were encountered: