geoblock icon indicating copy to clipboard operation
geoblock copied to clipboard
verified publisher icon PascalMinder

Random incorrect detection

Open Aetherinox opened this issue 1 year ago • 6 comments

I installed this, and it works great 96% of the time.

What happens is that when I'm moving from page to page, all is well. I can see in the logs that it's detecting the correct IP, and allows me to work.

I have sessions set to about every 2 hours, so once every 2 hours I must sign back in, but at the moment that I sign in, instead of taking me back to the internal pages, it throws a 403

Access to nextcloud.domain.com was denied
You don't have authorization to view this page.
HTTP ERROR 403

If I simply click refresh on the page, it lets me in. Seems to happen the most right after a sign-in, and then all the pages after that work just fine.

Any idea on what may be causing such issue? Also, I am using Cloudflare, with the setting:

ipGeolocationHttpHeaderField: "Cf-Ipcountry"

Aetherinox avatar Jun 21 '24 12:06 Aetherinox

Do you have any additional infos? E.g. in the logs, there should be the reason the connection was blocked.

PascalMinder avatar Jun 29 '24 04:06 PascalMinder

Hello, I have this exact same issue and it is driving me insane, I will report back with logs when it happens again.

JohanVlugt avatar Jan 14 '25 16:01 JohanVlugt

Ok, I could trigger a 403 and these are the logs:

I clicked on my Jellyseerr webpage and only these logs appeared. Webpage: 403

83.24.xxx.xxx - - [14/Jan/2025:17:47:34 +0000] "GET / HTTP/2.0" 403 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 199 "jellyseerr@redis" "-" 2000ms
83.24.xxx.xxx - - [14/Jan/2025:17:47:37 +0000] "GET /sw.js HTTP/2.0" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 201 "jellyseerr@redis" "http://10.216.174.12:5055" 1176ms

And this is the first line after a successful page load:

83.24.xxx.xxx - - [14/Jan/2025:17:52:03 +0000] "GET / HTTP/2.0" 200 47061 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 269 "jellyseerr@redis" "http://10.216.174.12:5055" 384ms

Same issue with Jellyfin, both are behind the geoblock middleware:

83.24.xxx.xxx - - [14/Jan/2025:18:01:22 +0000] "GET /UserItems/Resume?userId=52809ee7-fbb2-426b-9780-78a53c48585c&limit=12&includeItemTypes=Movie&includeItemTypes=Episode&enableTotalRecordCount=true&enableImages=true&excludeActiveSessions=false HTTP/2.0" 403 0 "-" "Ktor client" 569 "jellyfin@redis" "-" 2000ms

With Sonarr:

83.24.xxx.xxx - - [14/Jan/2025:18:10:04 +0000] "GET / HTTP/2.0" 403 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 363 "sonarr@redis" "-" 2001ms

With all of them there are no other logs than 1-2 lines. They are provided from redis from a different host. I will try to see if I can also trigger it on something hosted on the same machine.

Got it to trigger on authelia ran on the same machine as reverse proxy traefik stack:

83.24.xxx.xxx - - [14/Jan/2025:18:27:18 +0000] "GET /?rd=https%3A%2F%2Ftraefik.domain.com%2Fdashboard%2F&rm=GET HTTP/2.0" 403 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" 844 "authelia@docker" "-" 2001ms

Traefik log:

DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:117 > 499 Client Closed Request error="context canceled"

My settings:

    middleware-plugin-geoblock:
      plugin:
        GeoBlock:
          silentStartUp: true
          allowLocalRequests: true
          logLocalRequests: false
          logAllowedRequests: false
          logApiRequests: false
          api: "https://get.geojs.io/v1/ip/country/{ip}"
          apiTimeoutMs: 2000
          cacheSize: 100
          forceMonthlyUpdate: true
          allowUnknownCountries: false
          unknownCountryApiResponse: "nil"
          blackListMode: false
          allowedIPAddresses:
            - 49.13.57.239  
          countries:
            - NL
            - PL
            - MY

Timeout and the response match on 2000ms.

Anyway I hope this is enough information to help troubleshoot.

UPDATE:

I can instantly trigger this issue on all my services by setting this: apiTimeoutMs: 1

Now the question is why does it not grab my IP from the cache and why is there no unified cache for all the spawned instances (I observed 1 instance per attached route)? I have done all these test from the same IP.

For now I set apiTimeoutMs: 60000 as a work around.

JohanVlugt avatar Jan 14 '25 17:01 JohanVlugt

Thanks for the info, I'm going to set this on mine and see if it fixes it.

slimshizn avatar May 06 '25 09:05 slimshizn

Ah sorry, I didn't see this reply. Let me go play around with it and see if I can pull up some logs.

Aetherinox avatar May 06 '25 09:05 Aetherinox

I dont use this middleware anymore because its dependent on an API and slow.

This is the plugin I use now based on a file which is very fast. https://github.com/nscuro/traefik-plugin-geoblock

JohanVlugt avatar May 06 '25 11:05 JohanVlugt