Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenLiteSpeed 1.8.2 Virtual Host ACL lists not working correctly #439

Open
hnougher opened this issue Feb 1, 2025 · 4 comments
Open

OpenLiteSpeed 1.8.2 Virtual Host ACL lists not working correctly #439

hnougher opened this issue Feb 1, 2025 · 4 comments

Comments

@hnougher
Copy link

hnougher commented Feb 1, 2025

I upgraded OpenLiteSpeed using Debian apt today, which has arrived at 1.8.2.
All of this was working perfectly before the update.

What I am observing in the IP Address Allow and Deny lists are now having unexpected results.

  • IPs in the allow list are blocked by the deny list "ALL". Removing the value in deny allows the requests again.
  • Somehow, removing my own IP from the allow list still allows requests from my IP, but removing all entries from allow list blocks my IP.

My configuration for the ACL.
Allow list - Allowing my IP (replaced with x.x.x.x) and all Cloudflare IPs.
x.x.x.xT, y.y.y.yT, 173.245.48.0/20, 103.21.244.0/22, 103.22.200.0/22, 103.31.4.0/22, 141.101.64.0/18, 108.162.192.0/18, 190.93.240.0/20, 188.114.96.0/20, 197.234.240.0/22, 198.41.128.0/17, 162.158.0.0/1, 104.16.0.0/13, 104.24.0.0/14, 172.64.0.0/13, 131.0.72.0/22
Denied List
ALL

Additional: This is in the logs when I try accessing from Cloudflare, which is definitely covered by the entries "108.162.192.0/18" and "172.64.0.0/13".
2025-02-01 21:14:11.582732 | INFO | [1914618] [108.162.250.168:43610] [ACL] Access to virtual host [my.url] is denied.
2025-02-01 21:18:36.388820 | INFO | [1914618] [172.69.60.144:65358] [ACL] Access to virtual host [my.url] is denied.
2025-02-01 21:18:39.197265 | INFO | [1914618] [172.69.60.144:65358] [ACL] Access to virtual host [my.url] is denied.

Thanks
@litespeedtech
Copy link
Owner

You need to explicitly set config Use Client IP in Header to No to get the old behavior.
In 1.8.2, default has been changed from No to Trusted IP only. CloudFlare IP addresses are trusted automatically, so server has updated REMOTE_ADDR to use IP in the request header and check against ACL.

@hnougher
Copy link
Author

hnougher commented Feb 8, 2025

Thanks for the guidance.
As you say, setting OpenLiteSpeed WebAdmin Console > Server Configuration > General Settings to "No" does solve the CloudFlare issue to how it used to work.
It might be worth the ACL log entry indicating "what" is blocked, given it was the header IP instead of the CloudFlare IP.

However, this has not solved the strange case of removing my own IP from the list is still allowing access. This is not via CloudFlare, but direct.

Thanks

@litespeedtech
Copy link
Owner

Assume that you use curl to access your site from your IP, you need to override the DNS lookup result of your domain name, either use curl command line option --resolve, or /etc/hosts, otherwise, you still go through CloudFlare.

@hnougher
Copy link
Author

hnougher commented Feb 8, 2025

I am using Firefox, and test using an entirely different domain name that is not via CloudFlare.
i.e. live.url.au vs test.vm.hosting.provider
Further, when I bring up phpinfo on the test url, I cannot see any mention of x-forwarded headers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hnougher @litespeedtech