IP Ranges in Rest API whitelist

weblion · January 29, 2025, 5:04pm

Hi guys!

[Context]
So I’m building a learning platform where I create a subdomain for every student that gets logged. I’m using the rest api to enable the user and domain creation as well as ssl management. I have succesfully created a working script locally ( added my personal ip to the whitelist ) but my app is deployed on cloudflare pages.

The number of ips owner by cloudflare is in the millions so it can’t be written one by one. So my question is if there is a way to add ip ranges. or if it allows the use of domain names. Disabling it is also an option, it means I should be more carefull with the implementation but it’s worth it I think.

//cloudflare ip ranges
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22

eris · January 29, 2025, 5:21pm

Add 0.0.0.0 but it whitelists everything

ranges are currently not supported…

weblion · January 29, 2025, 5:24pm

Perfect! can I edit the file where the ips are stored internaly? or would 1.5ish million records still be to much to go through for every request?

eris · January 29, 2025, 5:32pm

The check script doesn’t support ip ranges yet…

weblion · January 29, 2025, 11:34pm

Yes I meant exporting all the 1,561,840 ips into a single txt file with a shell script. But No worries I will just bypass the ip restiction as scaning all those ips will probably slow the api’s response. Thank you for your time <3

eris · January 30, 2025, 7:58am

You don’t want 15M records in hestia.conf… It will slow everything down by a ton to reading that from disk every time a hestia script is called.

The system was never designed you can whitelist the Cloudflare ips in Hestia firewall for port 2083 and block everything else but then the are forced to always access Hestia via Cloudflare…

weblion · January 30, 2025, 7:38pm

Sorry Mr Eris But the 0.0.0.0 solution is not working I’m on version 1.6.14

I’m getting the ip not allowed error even on my local machine now

Error: IP is not allowed to connect with API
Error: IP is not allowed to connect with API
Error: IP is not allowed to connect with API

Raphael · January 30, 2025, 7:45pm

update hestia, 1.6.14 is very old.

weblion · January 30, 2025, 11:27pm

I have update to these versions now:

But the problem still persists.

I think there is a problem with the handling script so I will raise an issue on github and I will take a look and see if I can spot the error. ( don’t count on me tho I’m not a senior dev yet haha )

weblion · January 31, 2025, 12:14am

Oh! it’s “allow-all” and not 0.0.0.0

I might jump in later and submit a pull request for the ip ranges support if I can manage to do it in an optimized way

for now I just made a pull request to update the docs:

eris · January 31, 2025, 7:02am

github.com

hestiacp/hestiacp/blob/3bd7c9c8610ea591913b90d431c2ec4740998133/web/api/index.php#L239-L245


      
          	if ($settings["config"]["API_ALLOWED_IP"] != "allow-all") {
          		$ip_list = explode(",", $settings["config"]["API_ALLOWED_IP"]);
          		$ip_list[] = "";
          		if (!in_array($v_real_user_ip, $ip_list) && !in_array("0.0.0.0", $ip_list)) {
          			api_error(E_FORBIDDEN, "IP is not allowed to connect with API", $hst_return);
          		}
          	}

Or you are still using the old api “system”

weblion · January 31, 2025, 1:10pm

As for the latest version on main, it’s removed.

You are on a different branch.

But thank you for your time and dedication, sir. I am not trying to disrespect you or something, you are clearly giving a lot of time and effort for this project and just making sure newcomers don’t go through this repetitive search to find the “allow-list” keyword. That’s what contributions are for after all.

Thank you again

system · March 2, 2025, 1:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.