RPC: conf var rpcallowip=::/0 stopped working when upgrading to 0.21 #21070

issue SomberNight opened this issue on February 3, 2021

SomberNight commented at 3:03 AM on February 3, 2021: contributor
TL;DR: When upgrading from Bitcoin Core 0.20.1 to Bitcoin Core 0.21.0, a downstream application using the HTTP JSON-RPC API started getting HTTP 403 "Forbidden".

Turns out it is because I have rpcallowip=::/0 in bitcoin.conf which used to work but does not anymore. As a workaround, rpcallowip=0.0.0.0/0 works.

I run bitcoind in docker container1, and some application using the HTTP JSON-RPC API of bitcoind is in docker container2. They are on the same "docker network".

In bitcoin.conf I have:
```
rpcauth=<...>
rpcbind=0.0.0.0:8332
rpcallowip=::/0
```
(bitcoind RPC is not actually exposed to the public internet; it is up to the docker layer and above to ensure this.)

The application in container2 is connecting through HTTP accessing an URL such as http://user:pass@172.19.1.10:8332/.

This setup used to work when running Bitcoin Core 0.20.1 in container1.

It no longer works with Bitcoin Core 0.21.0.

If I change my bitcoin.conf as below, it starts working again using 0.21:
```
rpcauth=<...>
rpcbind=0.0.0.0:8332
rpcallowip=0.0.0.0/0
```
So rpcallowip=::/0 used to work but does not anymore; rpcallowip=0.0.0.0/0 works.

Easy way to test: curl --data-binary '{"jsonrpc":"1.0","id":"curltext","method":"getblockchaininfo","params":[]}' -H 'content-type:text/plain;' http://user:pass@172.19.1.10:8332/
SomberNight added the label Bug on Feb 3, 2021
fanquake added the label RPC/REST/ZMQ on Feb 3, 2021
luke-jr commented at 3:09 AM on February 3, 2021: member

I think the new behaviour is correct. You're allowing all IPv6 hosts, but only binding to IPv4.
willyko commented at 2:09 AM on February 4, 2021: contributor

hit this issue a few days ago.. but i saw kylemanna already fixed it in his repo https://github.com/kylemanna/docker-bitcoind/pull/72
jamesob commented at 3:51 PM on August 6, 2021: member

I'm seeing this behavior as new as of 0.21.0 also. Definitely an unpleasant user experience.
practicalswift commented at 7:25 PM on August 15, 2021: contributor

Perhaps the user experience thing could be solved with better documentation and/or a warning in relevant situations?

Regardless of the historical behaviour it feels risky to make it so that adding what looks like an "IPv6 allow" also implies an "IPv4 allow" (or vice versa).

In other words: if rpcallowip=::/0 used to imply also rpcallowip=0.0.0.0/0 then that feels like buggy behaviour :)
willcl-ark commented at 11:23 AM on March 9, 2023: member

@MarcoFalke should this be closed now that the old behaviour is buried under 3 releases?

Although, perhaps we keep it open as I don't see any test which would check for regression of this behaviour...
maflcko added the label Docs on Mar 9, 2023
maflcko commented at 1:40 PM on March 9, 2023: member

Maybe the docs or a warning can be improved, see the previous comment: #21070 (comment)
willcl-ark referenced this in commit 1e4580814b on Apr 18, 2023
willcl-ark referenced this in commit 9fe62caded on Apr 18, 2023
willcl-ark referenced this in commit 580cdec79c on Aug 9, 2023
willcl-ark referenced this in commit c8e066461b on Aug 10, 2023
achow101 closed this on Aug 24, 2023
achow101 referenced this in commit 5ce200dda2 on Aug 24, 2023
Frank-GER referenced this in commit 5b3fa1790b on Sep 8, 2023
Retropex referenced this in commit 4f93521875 on Oct 4, 2023
Retropex referenced this in commit 5f62ed90f6 on Oct 4, 2023
bitcoin locked this on Aug 23, 2024

Contributors

Labels

Bug Docs RPC/REST/ZMQ

Linked (view graph)

#27480 doc: Improve documentation of rpcallowip