microblog.pub version 2.0.0+ynh1.
The communication with the software flohmarkt doesn't work: lookup of users or notes is not possible.
Issue at flohmarkt can be found here.
I'll provide more information later - if someone cares to try a list of flohmarkt instances can be found here.
The instance I tried to contact is located at https://flohmarkt.ween.de/.
My microblog.pub runs on the same host as the nginx https server for flohmarkt.ween.de .
Looking at the logs I found that in
./app/utils/url.py
indef is_url_valid
there is a checkipaddress.ip_address(ip_address).is_private
that makes my URL fail, because the IP is 127.0.0.1.I circumvented this for now by adding a block to allow my local url like this:
def is_url_valid(url: str) -> bool: """Implements basic SSRF protection.""" parsed = urlparse(url) if parsed.scheme not in ["http", "https"]: logger.warning(f"{parsed.scheme} is not http(s)") return False # XXX in debug mode, we want to allow requests to localhost to test the # federation with local instances if DEBUG: # pragma: no cover return True if not parsed.hostname or parsed.hostname.lower() in ["flohmarkt.ween.de"]: logger.warning(f"{parsed.hostname} is my local flohmarkt") return True
To solve this on dns/network basis would be quite complicated.
The same issue may arrise if on the same host a different ActivityPub software is running, like e.g. mastodon.
My suggestion to solve this problem would be to read a configuration that includes a list of local fqdns that are allowed to resolve to 127.0.0.1 or a private IP.
I'd appreciate any thoughts on this before I'd try to provide a PR for my suggestion.