bunkerweb icon indicating copy to clipboard operation
bunkerweb copied to clipboard
verified publisher icon bunkerity

[BUG] Unban action does not remove ban or reset ban duration for stream services

Open jojolll opened this issue 5 months ago • 2 comments

What happened?

When I create a stream-type service, I can access it as expected. If I manually ban an IP for this service only (from the UI), the IP is correctly banned and cannot access the service.

However, when I unban the IP via either the UI or the bwcli CLI, the IP is marked as successfully unbanned. Despite this, the IP remains banned for the original duration as shown in the logs, and still cannot access the service.

If I try to ban the same IP again and set a new duration, the logs continue to display the original ban duration. It is impossible to reduce the ban duration or fully remove the ban according to my tests.

How to reproduce?

Create a stream-type service. Manually ban an IP for this service (automatic ban not tested). Unban the IP via UI or bwcli. Try to access the service from the banned IP: access is still denied.

Re-ban the IP with a new duration: logs show the initial ban duration, not the updated one.

Expected behavior: Unbanning an IP should instantly restore access for that IP and remove any previous ban duration.

Actual behavior: Unbanned IPs remain blocked for the original ban duration, and the ban cannot be cancelled or reduced.

Configuration file(s) (yaml or .env)

IS_DRAFT=no
SERVER_NAME=test.444
SERVER_TYPE=stream
LISTEN_STREAM_PORT=444
USE_BAD_BEHAVIOR=no
BAD_BEHAVIOR_THRESHOLD=20
WHITELIST_COUNTRY=FR
INTERCEPTED_ERROR_CODES=
REMOVE_HEADERS=
KEEP_UPSTREAM_HEADERS=
STRICT_TRANSPORT_SECURITY=
COOKIE_AUTO_SECURE_FLAG=no
CONTENT_SECURITY_POLICY=
REFERRER_POLICY=
PERMISSIONS_POLICY=
X_CONTENT_TYPE_OPTIONS=
COOKIE_FLAGS=
LETS_ENCRYPT_CHALLENGE=dns
LIMIT_CONN_MAX_HTTP1=100
LIMIT_CONN_MAX_STREAM=100
LIMIT_REQ_RATE=40r/s
LIMIT_REQ_URL_2=^/api/
LIMIT_REQ_RATE_2=10r/s
LIMIT_REQ_URL_3=/login.*
MAX_CLIENT_SIZE=100m
SERVE_FILES=no
HTTP2=no
HTTP3=no
HTTP3_ALT_SVC_PORT=
LISTEN_HTTP=no
OPEN_FILE_CACHE_ERRORS=no
USE_MODSECURITY=no
USE_MODSECURITY_CRS=no
USE_MODSECURITY_CRS_PLUGINS=no
REMOTE_PHP_PORT=
REAL_IP_HEADER=
REAL_IP_RECURSIVE=no
USE_REVERSE_PROXY=yes
REVERSE_PROXY_INTERCEPT_ERRORS=no
REVERSE_PROXY_HOST=minecraft.lan:25565
REVERSE_PROXY_BUFFERING=no
REVERSE_PROXY_HIDE_HEADERS=
REVERSE_PROXY_PASS_REQUEST_BODY=no
AUTO_REDIRECT_HTTP_TO_HTTPS=no
SSL_CIPHERS_LEVEL=old
SELF_SIGNED_SSL_SUBJ=/CN=CPT.pt/
WHITELIST_IP=192.168.1.0/24
WHITELIST_RDNS=
WHITELIST_RDNS_GLOBAL=no
WHITELIST_ASN=

Relevant log output

2025/07/16 15:31:44 [warn] 57071#57071: *69716 [PREREAD] IP 192.xx.xx.xx is banned with reason ui (86351s remaining) while prereading client data, client: 192.xx.xx.xx, server: 0.0.0.0:444

BunkerWeb version

1.6.2

What integration are you using?

Linux

Linux distribution (if applicable)

Debian

Removed private data

  • [x] I have removed all private data from the configuration file and the logs

Code of Conduct

  • [x] I agree to follow this project's Code of Conduct

jojolll avatar Jul 16 '25 14:07 jojolll

Hi,

I retested with version 1.6.4, and the bug is still present. Below are additional logs from this test:

Before ban (no logs for first two accesses): error.log: Access before a ban – no logs recorded

Manual ban of 192.168.1.1 (service-specific, 24h):

2025/08/21 21:18:25 [warn] 177282#177282: *355187 [PREREAD] IP 192.168.1.1 is banned with reason ui (86380s remaining) while prereading client data, client: 192.168.1.1, server: 0.0.0.0:25565
2025/08/21 21:18:25 [warn] 177281#177281: *355188 [PREREAD] IP 192.168.1.1 is banned with reason ui (86379.952s remaining) while prereading client data, client: 192.168.1.1, server: 0.0.0.0:25565

Manual unban of 192.168.1.1 via UI:

2025/08/21 21:18:50 [warn] 177282#177282: *355270 [PREREAD] IP 192.168.1.1 is banned with reason ui (86354.696s remaining) while prereading client data, client: 192.168.1.1, server: 0.0.0.0:25565
2025/08/21 21:18:50 [warn] 177285#177285: *355271 [PREREAD] IP 192.168.1.1 is banned with reason ui (86354.647s remaining) while prereading client data, client: 192.168.1.1, server: 0.0.0.0:25565

👉 The ban effect persists even after unban via UI.

jojolll avatar Aug 21 '25 19:08 jojolll

Hi @jojolll, sorry for the long before an answer. I'll try it in the next sprint and let you know

TheophileDiot avatar Dec 03 '25 14:12 TheophileDiot