Firehose Webhook: URI is not a valid fetchable resource


#1

When trying to configure a Firehose Webhook on Phabricator using the URI http://localhost:8080/handler2 I’m getting the error message:

URI “http://localhost:8080/handler2” is not a valid fetchable resource. The domain “localhost” resolves to the address “127.0.0.1”, which is blacklisted for outbound requests.

Using the config command I see that I don’t have any explicit blacklist

$ ./bin/config get security.outbound-blacklist
{
  "config": [
    {
      "key": "security.outbound-blacklist",
      "source": "local",
      "value": null,
      "status": "unset",
      "errorInfo": null
    },
    {
      "key": "security.outbound-blacklist",
      "source": "database",
      "value": null,
      "status": "unset",
      "errorInfo": null
    }
  ]
}

But I see by default all private and local addresses are considered blacklisted for outbound connections in Phabricator’s source code. Reading your motivation to blacklist them here, I think it makes sense for requests that are started by users, but why to enforce this for Firehose WebHooks too?

Note that the feed.http-hooks works fine with a local address in my installation:

./bin/config get feed.http-hooks
{
  "config": [
    {
      "key": "feed.http-hooks",
      "source": "local",
      "value": [
        "http://localhost:8080/handler"
      ],
      "status": "set",
      "errorInfo": null
    },
    {
      "key": "feed.http-hooks",
      "source": "database",
      "value": null,
      "status": "unset",
      "errorInfo": null
    }
  ]
}

So being a Firehose the intended replacement for feed.http-hooks, shouldn’t it allow local and private addresses too?


Whitelisting local url for Firehose Webhook
#2

This is working as intended. feed.http-hooks is allowed to bypass policy restraints and the outbound address blacklist because it can only be edited with CLI access.


#3

Is there a way to host a Firehose webhook in the same machine where Phabricator is running, if that machine doesn’t have a public IP address?

(Well, I could ./bin/config set security.outbound-blacklist [] but that would be lowering the security restrictions for more than my webhook)


closed #5