Duplicati login failed from HTTP hostname xxx.duckdns.org

Hi all,
My Home Assistant’s URL is: http://xxx.duckdns.org:8123 (it’s HTTP only, not HTTPS yet)
I am using iframe to add Duplicati as panel, when I login Duplicati it shows error:

How to allow access to Duplicati UI from HTTP hostname?

I can access Duplicati UI from HASS local IP, it works fine. I aware that there is a setting allow hostname here, but I dont know what should I input (mysubdomain.duckdns.org or mysubdomain only or duckdns.org or something else?..)

My Duplicati version: 2.0.6.3_beta_2021-06-17

Hello and welcome!

I’m not familiar with Home Assistant, but I wonder if you could do a test. Set the Hostnames field to * and see if it makes any difference.

Hi @drwtsn32 , actually the setting page comes with * from beginning. Since it doesn’t work, I changed from * to “myhostname.duckdns.org” but not help. Even when I restart the Duplicati.

I believe the default is blank, which allows access only if the URL uses IP addresses or localhost. I wonder if it’s some browser security thing with iframes. The Duplicati web UI does work on its own outside of Home Assistant, right?

@drwtsn32 I can make sure the default is *. I also try input * again.

Yes. it does. I made some changes on Setting page’s (Hostname field) but I see no affect.
So I don’t know where this problem comes from (Home Assistant iframe or Duplicati setting page)…
I will try add rule to allow incoming traffic using the port the Duplicati server listens on (default port is TCP port 8200) and see what happen.

I’d try to not expose a web server unmodified for 7 years to the Internet.
Unless the great guys who wrote it were a lot better than the Apache, Nginx, and the rest of the crowd, there may be a few security problems lurking here, since all web servers have had CVE during these years. And security audits are surely more frequent for Nginx, Apache, etc… than for a discontinued C# server that is probably not used a lot out of Duplicati. Did you read the part about ‘secure firewall protected network’ ?

2 Likes

Completely agree. The main author has stated the Duplicati web engine is not hardened for exposure to the public internet. I’m not familiar with this Home Assistant so didn’t know if that’s what it does, or if you use some sort of VPN still.

If you really want to expose 8200 to the internet at least set up a rule so it’s only allowed from trusted source IP addresses, and enable the web UI password.

1 Like

and the topic title

Duplicati login failed from HTTP hostname xxx.duckdns.org

One might think this tries to validate its client by name. Actually it looks at the client URL to server.
DNS rebinding attack is what it’s trying to protect against by checking sent Host header for validity.

Does not accept hostname other than * was your me-too at a topic about a different error scenario:

The host header sent by the client is not allowed

I’m unsure what error you’re seeing under what situations. Are you ever getting host header error?
If not, then trying to change the Hostnames field is probably not going to solve the Password error.

If you allow remote access, and the Host header comes in wrong (is there a reverse proxy as well, potentially dropping or mangling it?) then you get a host header complaint on a very empty screen.
That’s where allowing * might help. Your posted error looks like you just typed the wrong password.
That’s the first set of options on the Settings screen shown above. Did you set up your own in this?
Some third-party Duplicati packages supply a hardcoded password. What exactly are you running?
Is Duplicati installed directly on the host, or is there a Docker? If Docker, whose Docker is running?
Or Is Duplicati not running on Home Assistant system, but simply providing its user interface there?

If you’re on a relatively safe network, would Duplicati let you in without a password if you turn it off?

Regarding Home Assistant, the DuckDNS integration looks like it uses dynamic DNS to update the primary Home Assistent DNS entry. There might be other IPs involved, e.g. if Duplicati is in Docker.
Those might be dynamically assigned (I’m no Docker expert). Not sure how you’d DNS-name them.
iframe Panel takes a URL, but I don’t know if sends a Host header the way a regular browser does.
One reason I wonder about reverse proxy is the URL in the bar at top of screenshot reminds me of reverse proxy being used to get to Duplicati using a URL on the main site, not directly by port 8200.

@ts678 Thanks for your comment. I read your mentioned posts but they’re not help me very much. Their answers seem outdated when using old cli commands and nowadays Duplicati has updated Hostname field with * as default setting already.

Yes I setup all of them on a same host by myself, Duplicati and Home Assitant on Docker containers.

I just turned off password to Duplicati Interface. Now I can see the error by press F12 on Chrome.

It shows “Connection Lost” error on screen and return

Status Code: 400 Missing XSRF Token. Please reload the page

Not sure where this error coming from, Home Assistant or Duplicati?

I searched a bit and see that Duplicati has same question since 2017, but their solutions (Ctr+F5 to refresh or Private browser) do not work for me Missing XSRF Token

If you mean server options, they’re current (not old), and sometimes interact with GUI config.
For example --webservice-password can set it and can also be used to disable password.

It’s not happening here, starting from new configuration (no Duplicati-server.sqlite). It’s blank.
Duplicati upgrade - “The host header sent by the client is not allowed” explains why * is bad.
Definitely more convenient though, but not secure, and the choice was to default to secure…

Possibly your Docker packager did some things. I’m still trying to learn what Docker you use.

https://github.com/linuxserver/docker-duplicati/blob/master/root/etc/services.d/duplicati/run

makes me think LinuxServer.io Docker decided to defeat security by setting * for Hostnames.
I confirmed that a given --webservice-allowed-hostnames does in fact populate GUI field.

We might need a Docker expert (especially on network). I don’t use Docker, so am not expert.

How are you setting up the iFrame so that it connect to Duplicati’s IP which might be dynamic?

Docker documentation Container networking has IP address and hostname section.discussing.
I have no idea if Home Assistant does anything to make getting to servers any easier than that.
Theoretically, perhaps the reverse proxy could steer the incoming connection to right container.

Cross-site request forgery protection. In your F12 view, requests get an X-XSRF-Token header.
You might also be able to find the cookie in the store for whatever host or IP address you go to.
Did you reload the page (preferably using a hard refresh)? I think that should get a new cookie.

Typically I get these if I try to use one browser connected to multiple Duplicati at different ports.
I’m not a web developer, but I think the cookies step on each other because host is the same…

I’m not sure what’s going on in your case, but you have the tools set up to watch action. Code is

Any C# or web developers, please feel free to comment.

1 Like