Internal oneboxing problem revisited


(pjv) #1

I’m seeing a problem similar to that reported in this topic:

For a forum running on forum.breadtopia.com, as of recent discourse updates we are unable to onebox posts from the wordpress site at breadtopia.com. Prior to recent updates oneboxing from the wordpress site worked fine.

In this case, there is definitely an internal private network IP active between the two servers and the web server on breadtopia.com is not listening on the private IP address. This has not changed recently - the private IP has always been there and nginx on breadtopia.com has never listened on that address.

The forum is running version 1.9.0.beta3 and I have used the new whitelist feature (@eviltrout) to whitelist breadtopia.com but oneboxing for that domain is still not working and the console shows a 404 error.

Here is a recent example post that should have a onebox:

Here is an older post where the oneboxing worked correctly for the same domain:


(pjv) #3

Anybody here know what changed in Discourse that made oneboxing stop working in situations like I have described above? Anyone have a fix or even a workaround?


(Robin Ward) #4

We changed to avoid SSRF attacks. Sorry for changing stuff around but it’s for security reasons which I’m sure in the long term are more important to you.

One thing to check is that the hostname you are whitelisting is an exact match. For example breadtopia.com would not match forum.breadtopia.com. Having said that, it looks like you were only trying to onebox breadtopia.com right?


(pjv) #5

yes, breadtopia.com as seen in the two examples I posted above.

Oneboxing forum.breadtopia.com works fine.

Here is the admin setting for the whitelist. Let me know if you think that the faulty one-boxing seen in the first post I listed above should be happening.


(Robin Ward) #6

I checked your onebox URL and noticed I couldn’t do it on https://try.discourse.org either which is a sign that it’s not related to the internal host check.

The actual problem is that our new onebox engine provides a customer user agent of “Discourse Forum Onebox vXXX” and your wordpress blog blocks it with a 520 Origin Error. Previously the User-Agent was “Ruby” which your wordpress blog allows.


(pjv) #7

Excellent - Pretty sure I can fix that on my end. Thank you very much.


(Robin Ward) #8