distributions icon indicating copy to clipboard operation
distributions copied to clipboard
verified publisher icon nodesource

403 from (very) specific IP addresses

Open communiteq opened this issue 1 year ago • 1 comments

TL;DR Retrieving https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease fails with a 403, while it works from another server in the same IP range. From 178.156.156.203: problem From 178.156.156.161: works

Both newly deployed VPSes. 4 out of 16 failed. This does stick to the IP, it always works from one IP and it never works from the other.

From 178.156.156.203: problem

root@s203:~# dig deb.nodesource.com

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> deb.nodesource.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57561
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;deb.nodesource.com.            IN      A

;; ANSWER SECTION:
deb.nodesource.com.     7374    IN      CNAME   deb.nodesource.com.cdn.cloudflare.net.
deb.nodesource.com.cdn.cloudflare.net. 300 IN A 172.67.10.205
deb.nodesource.com.cdn.cloudflare.net. 300 IN A 104.22.4.26
deb.nodesource.com.cdn.cloudflare.net. 300 IN A 104.22.5.26

;; Query time: 46 msec
;; SERVER: 8.8.4.4#53(8.8.4.4) (UDP)
;; WHEN: Thu Feb 06 18:17:36 UTC 2025
;; MSG SIZE  rcvd: 146

root@s203:~# curl -I https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease
HTTP/2 403 
date: Thu, 06 Feb 2025 18:17:54 GMT
content-type: text/html; charset=UTF-8
content-length: 8340
accept-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
critical-ch: Sec-CH-UA-Bitness, Sec-CH-UA-Arch, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Platform, Sec-CH-UA, UA-Bitness, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform-Version, UA-Platform, UA
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
origin-agent-cluster: ?1
permissions-policy: accelerometer=(),autoplay=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()
referrer-policy: same-origin
x-content-options: nosniff
x-frame-options: SAMEORIGIN
cf-mitigated: challenge
cf-chl-out: HRmcgn5hUACOuKWYvPFrywr4zNCcaBMpOFULoykdU09J1iEjTN4hr6+6tvlJmipKY27oT0oWIEwk6aINwCJpDalZQ2cFX80kHRZa1UQPm6yT1zJ+Xu7IxIfdjK0s+YsC$SA4QpUoPOs0ivmq77nG4yw==
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
server: cloudflare
cf-ray: 90dd23c429fddda7-IAD

From 178.156.156.161: works

root@s161:~# dig deb.nodesource.com

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> deb.nodesource.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3217
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;deb.nodesource.com.            IN      A

;; ANSWER SECTION:
deb.nodesource.com.     5026    IN      CNAME   deb.nodesource.com.cdn.cloudflare.net.
deb.nodesource.com.cdn.cloudflare.net. 300 IN A 104.22.4.26
deb.nodesource.com.cdn.cloudflare.net. 300 IN A 104.22.5.26
deb.nodesource.com.cdn.cloudflare.net. 300 IN A 172.67.10.205

;; Query time: 44 msec
;; SERVER: 8.8.4.4#53(8.8.4.4) (UDP)
;; WHEN: Thu Feb 06 18:18:14 UTC 2025
;; MSG SIZE  rcvd: 146

root@s161:~# curl -I https://deb.nodesource.com/node_22.x/dists/nodistro/InRelease
HTTP/2 200 
date: Thu, 06 Feb 2025 18:18:15 GMT
content-type: binary/octet-stream
content-length: 12140
x-amz-id-2: S9L6OqvmoXjjKiqh4Pv1plHV+TZjyi/qmbVqIvrMrNkP2Vy8iuIGR+GhJlGumiSroiBUHptIf68=
x-amz-request-id: S1V27DDYRS6BNDDH
last-modified: Wed, 22 Jan 2025 11:31:39 GMT
etag: "ee675c00b2e32cd25043961473e1bb10"
cache-control: max-age=14400
cf-cache-status: HIT
age: 2280
accept-ranges: bytes
server: cloudflare
cf-ray: 90dd24489e64e629-IAD

communiteq avatar Feb 06 '25 18:02 communiteq

This problem has gone away, although I'm still interested to hear what has caused it.

communiteq avatar Feb 21 '25 10:02 communiteq