"Cannot Connect to URL" for local REST datasource endpoints (self-hosted) #18299
Description
Checklist
- I have searched Budibase discussions and GitHub issues to check if my issue already exists
Hosting
- Self-hosted
- Method: Docker Compose (Swarm)
- Budibase Version: 3.33.5
- App Version: 3.33.5
Describe the bug
Some REST API datasource endpoints that resolve to internal RFC1918 addresses fail with the generic error: Cannot connect to URL.
The endpoint in question is a self-hosted service behind a reverse proxy (Traefik). The DNS hostname resolves to an internal address in the 10.0.0.0/8 private address range.
This appears to be caused by the recently introduced IP blacklist functionality. The default blacklist includes several private/internal address ranges:
const DEFAULT_BLACKLIST = [
"127.0.0.0/8",
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"169.254.0.0/16",
"0.0.0.0/8",
"::1/128",
"fc00::/7",
"fe80::/10",
] as const
This behavior makes sense for Budibase Cloud environments but it creates issues for self-hosted environments where API calls to internal/private services are likely common; the current implementation will break any existing local REST calls.
In my environment, I had the following configured (as per BB docs) in both the server and worker containers:
SELF_HOSTED=1
However, requests to services resolving to 10.0.0.0/8 were still blocked due to the requirement of both the SELF_HOSTED variable and the BLACKLIST_IPS variable in the blacklist logic (packages/backend-core/src/blacklist/blacklist.ts)
function shouldApplyDefaultBlacklist() {
return !(env.SELF_HOSTED && env.BLACKLIST_IPS !== undefined)
}
What I found
The issue can be resolved by explicitly defining the BLACKLIST_IPS environment variable.
For example, either of the following fixed the issue:
SELF_HOSTED=1
BLACKLIST_IPS=
or
SELF_HOSTED=1
BLACKLIST_IPS=192.168.0.0/24
From reviewing the code, the default blacklist is only disabled when both of these conditions are true:
SELF_HOSTEDis enabledBLACKLIST_IPSis defined
So in practice, self-hosted deployments now need to explicitly define BLACKLIST_IPS to disable the default blacklist.
I could not find this requirement documented in the self-hosting documentation.
To Reproduce
- Deploy Budibase self-hosted
- Configure environment:
SELF_HOSTED=1
(without defining BLACKLIST_IPS)
- Create a REST datasource to a hostname that resolves to an internal/private address such as
10.x.x.x - Execute the query
The request fails with:
Cannot connect to URL.
Expected behavior
One of the following would be clearer:
- Self-hosted deployments should not apply the default private IP blacklist unless explicitly enabled.
or
- Documentation should clearly state that self-hosted deployments must define
BLACKLIST_IPSto disable the default blacklist.
Additional context
The error message produced by the REST integration is also quite misleading.
Currently the code (packages/server/src/integrations/rest.ts:690) throws:
Cannot connect to URL.
A more descriptive error would make this much easier to diagnose, for example:
URL resolved to a blacklisted IP address.
or
Request blocked by IP blacklist configuration.