Internal oneboxing problem revisited

I’m seeing a problem similar to that reported in this topic:

For a forum running on, as of recent discourse updates we are unable to onebox posts from the wordpress site at Prior to recent updates oneboxing from the wordpress site worked fine.

In this case, there is definitely an internal private network IP active between the two servers and the web server on is not listening on the private IP address. This has not changed recently - the private IP has always been there and nginx on has never listened on that address.

The forum is running version 1.9.0.beta3 and I have used the new whitelist feature (@eviltrout) to whitelist but oneboxing for that domain is still not working and the console shows a 404 error.

Here is a recent example post that should have a onebox:

Here is an older post where the oneboxing worked correctly for the same domain:

1 Like

Anybody here know what changed in Discourse that made oneboxing stop working in situations like I have described above? Anyone have a fix or even a workaround?

We changed to avoid SSRF attacks. Sorry for changing stuff around but it’s for security reasons which I’m sure in the long term are more important to you.

One thing to check is that the hostname you are whitelisting is an exact match. For example would not match Having said that, it looks like you were only trying to onebox right?

yes, as seen in the two examples I posted above.

Oneboxing works fine.

Here is the admin setting for the whitelist. Let me know if you think that the faulty one-boxing seen in the first post I listed above should be happening.

I checked your onebox URL and noticed I couldn’t do it on either which is a sign that it’s not related to the internal host check.

The actual problem is that our new onebox engine provides a customer user agent of “Discourse Forum Onebox vXXX” and your wordpress blog blocks it with a 520 Origin Error. Previously the User-Agent was “Ruby” which your wordpress blog allows.


Excellent - Pretty sure I can fix that on my end. Thank you very much.