[bug] Media proxy returns 424 Failed Dependency for all requests #526

New issue

Closed

opened 2023-04-23 12:50:27 +00:00 by creideiki · 1 comment

creideiki commented 2023-04-23 12:50:27 +00:00

Copy link

Your setup

From source

Extra details

Gentoo Linux

Version

v3.8.0

PostgreSQL version

15.2

What were you trying to do?

After activating the media proxy, all requests to it for images return an HTTP error 424 Failed Dependency after exactly 5 seconds.

A test post demonstrating this error is available at https://akkoma.pikaböl.se/notice/AUwOggNPhamXI484nI

My setup consists of two virtual machines, one running an Apache reverse proxy that terminates TLS and proxies to Akkoma running on the other VM. The Akkoma VM does not have a publicly routable IP address.

What did you expect to happen?

I was expecting the media proxy to serve images.

What actually happened?

I get this HTTP error back:

$ curl -i https://akkoma.pikaböl.se/proxy/preview/1LQYvOkwHq_m6BBILapwBbEgdOo/aHR0cHM6Ly9ha2tvbWEueG4tLXBpa2FibC0weGEuc2UvbWVkaWEvYjVjZmQ5MWY5MDU4MWUyNGVkYjdjMDJlZjUyMjZjMWFlNmNiYmVmNjEzYjk1YjJlMWQ3MzQ4ZmQ4YzcyNTUwMS5KUEc/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG
HTTP/1.1 424 Failed Dependency
Date: Sun, 23 Apr 2023 12:39:42 GMT
Server: Cowboy
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key
cache-control: max-age=0, private, must-revalidate
content-length: 25
content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-G1aziuMT8usaaXH';font-src 'self';script-src 'self' 'nonce-G1aziuMT8usaaXH' ;connect-src 'self' https://akkoma.xn--pikabl-0xa.se wss://akkoma.xn--pikabl-0xa.se ;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self';
permissions-policy: interest-cohort=()
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-request-id: F1iQt2ArUpDgvGIAACzh
x-xss-protection: 0
X-Cache: MISS from akkoma.xn--pikabl-0xa.se
X-Cache-Detail: "s-maxage or max-age zero and no Last-Modified or Etag; not cacheable" from akkoma.xn--pikabl-0xa.se
Content-Type: image/jpeg

Can't fetch HTTP headers.

Looking at the source code, it looks like the only place this error can be generated is at https://akkoma.dev/AkkomaGang/akkoma/src/branch/stable/lib/pleroma/web/media_proxy/media_proxy_controller.ex#L88 if a HEAD request to the full image URL (obtained by Base64 decoding the last part of the request URL) fails. But that URL (https://akkoma.xn--pikabl-0xa.se/media/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG) works both from a web browser and from the command line om the VM running my Akkoma server:

akkoma@akkoma ~ $ curl -I https://akkoma.pikaböl.se/media/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG
HTTP/1.1 200 OK
Date: Sun, 23 Apr 2023 12:44:07 GMT
Server: Cowboy
accept-ranges: bytes
access-control-allow-credentials: true
access-control-allow-origin: *
access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key
cache-control: public, max-age=1209600
content-length: 6155908
content-security-policy: sandbox
content-type: image/jpeg
etag: "42CBBCD"
permissions-policy: interest-cohort=()
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-permitted-cross-domain-policies: none
x-xss-protection: 0

Logs

Nothing of note is logged, even in debug mode - just that the request comes in, and 5s later that a 424 is returned.

14:25:09.520 request_id=F1iP7SViam24cnoAAA5n [debug] GET /proxy/preview/1LQYvOkwHq_m6BBILapwBbEgdOo/aHR0cHM6Ly9ha2tvbWEueG4tLXBpa2FibC0weGEuc2UvbWVkaWEvYjVjZmQ5MWY5MDU4MWUyNGVkYjdjMDJlZjUyMjZjMWFlNmNiYmVmNjEzYjk1YjJlMWQ3MzQ4ZmQ4YzcyNTUwMS5KUEc/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG

14:25:09.520 request_id=F1iP7SViam24cnoAAA5n [debug] Processing with Pleroma.Web.MediaProxy.MediaProxyController.preview/2
  Parameters: %{"filename" => "b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG", "sig" => "1LQYvOkwHq_m6BBILapwBbEgdOo", "url" => "aHR0cHM6Ly9ha2tvbWEueG4tLXBpa2FibC0weGEuc2UvbWVkaWEvYjVjZmQ5MWY5MDU4MWUyNGVkYjdjMDJlZjUyMjZjMWFlNmNiYmVmNjEzYjk1YjJlMWQ3MzQ4ZmQ4YzcyNTUwMS5KUEc"}
  Pipelines: []

14:25:14.524 request_id=F1iP7SViam24cnoAAA5n [debug] Sent 424 in 5004ms

Severity

I cannot use the software

Have you searched for this issue?

• I have double-checked and have not found this issue mentioned anywhere.

### Your setup From source ### Extra details Gentoo Linux ### Version v3.8.0 ### PostgreSQL version 15.2 ### What were you trying to do? After activating the media proxy, all requests to it for images return an HTTP error 424 Failed Dependency after exactly 5 seconds. A test post demonstrating this error is available at https://akkoma.pikaböl.se/notice/AUwOggNPhamXI484nI My setup consists of two virtual machines, one running an Apache reverse proxy that terminates TLS and proxies to Akkoma running on the other VM. The Akkoma VM does not have a publicly routable IP address. ### What did you expect to happen? I was expecting the media proxy to serve images. ### What actually happened? I get this HTTP error back: ``` $ curl -i https://akkoma.pikaböl.se/proxy/preview/1LQYvOkwHq_m6BBILapwBbEgdOo/aHR0cHM6Ly9ha2tvbWEueG4tLXBpa2FibC0weGEuc2UvbWVkaWEvYjVjZmQ5MWY5MDU4MWUyNGVkYjdjMDJlZjUyMjZjMWFlNmNiYmVmNjEzYjk1YjJlMWQ3MzQ4ZmQ4YzcyNTUwMS5KUEc/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG HTTP/1.1 424 Failed Dependency Date: Sun, 23 Apr 2023 12:39:42 GMT Server: Cowboy access-control-allow-credentials: true access-control-allow-origin: * access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key cache-control: max-age=0, private, must-revalidate content-length: 25 content-security-policy: upgrade-insecure-requests;style-src 'self' 'nonce-G1aziuMT8usaaXH';font-src 'self';script-src 'self' 'nonce-G1aziuMT8usaaXH' ;connect-src 'self' https://akkoma.xn--pikabl-0xa.se wss://akkoma.xn--pikabl-0xa.se ;media-src 'self' https:;img-src 'self' data: blob: https:;default-src 'none';base-uri 'none';frame-ancestors 'none';manifest-src 'self'; permissions-policy: interest-cohort=() referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: DENY x-permitted-cross-domain-policies: none x-request-id: F1iQt2ArUpDgvGIAACzh x-xss-protection: 0 X-Cache: MISS from akkoma.xn--pikabl-0xa.se X-Cache-Detail: "s-maxage or max-age zero and no Last-Modified or Etag; not cacheable" from akkoma.xn--pikabl-0xa.se Content-Type: image/jpeg Can't fetch HTTP headers. ``` Looking at the source code, it looks like the only place this error can be generated is at https://akkoma.dev/AkkomaGang/akkoma/src/branch/stable/lib/pleroma/web/media_proxy/media_proxy_controller.ex#L88 if a HEAD request to the full image URL (obtained by Base64 decoding the last part of the request URL) fails. But that URL (https://akkoma.xn--pikabl-0xa.se/media/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG) works both from a web browser and from the command line om the VM running my Akkoma server: ``` akkoma@akkoma ~ $ curl -I https://akkoma.pikaböl.se/media/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG HTTP/1.1 200 OK Date: Sun, 23 Apr 2023 12:44:07 GMT Server: Cowboy accept-ranges: bytes access-control-allow-credentials: true access-control-allow-origin: * access-control-expose-headers: Link,X-RateLimit-Reset,X-RateLimit-Limit,X-RateLimit-Remaining,X-Request-Id,Idempotency-Key cache-control: public, max-age=1209600 content-length: 6155908 content-security-policy: sandbox content-type: image/jpeg etag: "42CBBCD" permissions-policy: interest-cohort=() referrer-policy: same-origin x-content-type-options: nosniff x-frame-options: DENY x-permitted-cross-domain-policies: none x-xss-protection: 0 ``` ### Logs ```shell Nothing of note is logged, even in debug mode - just that the request comes in, and 5s later that a 424 is returned. 14:25:09.520 request_id=F1iP7SViam24cnoAAA5n [debug] GET /proxy/preview/1LQYvOkwHq_m6BBILapwBbEgdOo/aHR0cHM6Ly9ha2tvbWEueG4tLXBpa2FibC0weGEuc2UvbWVkaWEvYjVjZmQ5MWY5MDU4MWUyNGVkYjdjMDJlZjUyMjZjMWFlNmNiYmVmNjEzYjk1YjJlMWQ3MzQ4ZmQ4YzcyNTUwMS5KUEc/b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG 14:25:09.520 request_id=F1iP7SViam24cnoAAA5n [debug] Processing with Pleroma.Web.MediaProxy.MediaProxyController.preview/2 Parameters: %{"filename" => "b5cfd91f90581e24edb7c02ef5226c1ae6cbbef613b95b2e1d7348fd8c725501.JPG", "sig" => "1LQYvOkwHq_m6BBILapwBbEgdOo", "url" => "aHR0cHM6Ly9ha2tvbWEueG4tLXBpa2FibC0weGEuc2UvbWVkaWEvYjVjZmQ5MWY5MDU4MWUyNGVkYjdjMDJlZjUyMjZjMWFlNmNiYmVmNjEzYjk1YjJlMWQ3MzQ4ZmQ4YzcyNTUwMS5KUEc"} Pipelines: [] 14:25:14.524 request_id=F1iP7SViam24cnoAAA5n [debug] Sent 424 in 5004ms ``` ### Severity I cannot use the software ### Have you searched for this issue? - [x] I have double-checked and have not found this issue mentioned anywhere.

creideiki added the

bug

label 2023-04-23 12:50:27 +00:00

creideiki commented 2023-05-14 19:29:50 +00:00

Author

Copy link

I finally looked deep enough at Wireshark to figure out that this was a bug in my firewall's NAT rules. Akkoma really couldn't connect to itself to fetch the original image from /media/.

I finally looked deep enough at Wireshark to figure out that this was a bug in my firewall's NAT rules. Akkoma really couldn't connect to itself to fetch the original image from `/media/`.

creideiki closed this issue 2023-05-14 19:29:50 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

stable

db-prune-beastmode-level-aggression

better-stats

translations

customizable-docker-db

static-adminfe

bad-uploader-config-warning

docker

user-expiry-backfill

config-db-keys

ensure-scrubbers-loaded

otp26

code-shaking-does-not-go-brr

elixir1.15

circleci

backup-fixes

mod-task

policy

mrf-coolness

frontend-switcher-9000

contentMap

language-on-posts

rabbit

credo-on-pr

unify-http

normalise-markup-by-default

buildx

v3.15.2

v3.15.1

v3.15.0

v3.14.1

v3.14.0

v2.8.0

v2.7.1

v3.13.3

v2.7.0

v3.13.2

v2.6.3

v3.13.1

v3.13.0

snac-3.12.1.2

v3.12.2

snac-3.12.1.1

v3.12.1

v3.12.0

v3.11.0

v2.6.2

v2.6.1

2.6.1

v2.6.0

v2.5.5

v3.10.4

v3.10.3

v3.10.2

v3.10.1

v3.10.0

v2.5.4

v2.5.3

v3.9.3

v3.9.2

v3.9.1

V3.9.0

2023.05

v3.8.0

v3.7.1

v3.7.0

v3.6.0

v3.5.0

v2.4.5

v3.4.0

v3.3.1

v2.4.4

v3.3.0

v3.2.3

v3.2.2

v3.2.1

stable-202209

v3.2.0

v3.1.0

stable-2022.07

v3.0.0

v0.0.1

v2.5.2-6

v2.5.2-5

v2.5.2-4

v2.5.2-3

v2.5.2-2

v2.5.2-1

v2.5.2

v2.5.1

v2.5.0-8

v2.5.0-7

v2.5.0-6

v2.5.0-5

v2.5.0-4

v2.5.0-3

v2.5.0-2

v2.5.0-1

v2.5.0

v2.4.3

pre-rebase

v2.4.2

v2.4.1

v2.4.0

soapbox-v1.1.1

soapbox-v1.1.0

soapbox-v1.0.0

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.1.9

v1.1.8

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.91

v1.0.90

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.9.0

Labels

Clear labels   

approved, awaiting change

  

bug

Something is not working

  

configuration

This requires config changes

  

documentation

This is about human-readable docs

  

duplicate

This issue or pull request already exists

  

enhancement

New feature

  

extremely low priority

  

feature request

Something new?

  

Fix it yourself

Support has been attempted

  

help wanted

Need some help

  

invalid

Something is wrong

  

mastodon_api

  

needs docs

  

needs tests

  

not a bug

  

planned

  

pleroma_api

  

privacy

  

question

More information is needed

  

static_fe

  

triage

  

wontfix

This won't be fixed

No labels

approved, awaiting change

bug

configuration

documentation

duplicate

enhancement

extremely low priority

feature request

Fix it yourself

help wanted

invalid

mastodon_api

needs docs

needs tests

not a bug

planned

pleroma_api

privacy

question

static_fe

triage

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AkkomaGang/akkoma#526

No description provided.