Profile Link Verification fails


#1

Dear Mastodon developers!

We’re a internet club called “Anoxinon e.V.” and we’re running a Mastodon instance at https://social.anoxinon.de. Unfortunately the “Verified Profile Links” feature is broken since we moved the instance to another server several weeks ago.

The issue

The issue is as follows:

The problem on the social.anoxinon.me instance does only occur when the site “anoxinon.de” should be verified. At the same time verification to anoxonin.de does work on other instances. So it’s only the combination “social.anoxinon.de” and “anoxinon.de” (Website) which does not work. All the other combinations do work.

What we’ve tried

#1

We used curl to retrieve the web site’s content from the server. Loigged into the user account that is used by the Mastodon instance and issued:

curl -4 https://anoxinon.de | grep rel=\"me\"
curl -6 https://anoxinon.de | grep rel=\"me\"

To check the content retrieved from the web server via IPv4 and v6 respectively. In both cases We retrieved the expected “rel=me” link lines in the source code. At the same time verification on other Mastodon instances did work here - so we’re sure that there was no mistake made while embedding the link snippet into the source code.

Our curl test proves that Mastodon should be able to retrieve the correct source code and make the verification succeed.

#2

We checked the anoxinon.de web server logs after we tried to verify a website on Mastodon. We could see a successful HTTP request coming from the Mastodon instance to the correct vHost and the correct page.

#3

We checked the Mastodon logs. All we could see was:

[...] LinkCrawlWorker [...] INFO: start
[...] LinkCrawlWorker [...] INFO: done: 0.002 sec

#3

  • Several server and instance restarts
  • Flushing Redis (not sure if this helps)

What now?

We’ve searched and tried different approaches to find the error, but after lots of hours we’re about to give up. We have one hope left: Maybe somebody of the Mastodon developers can give us a hint? Maybe somebody has a clue how this feature works and where possible pitfalls are?

Maybe this is some sort of caching issue? How can we resolve it? What else could be check?

We’d very much appreciate any kind of help from the Mastodon community :slight_smile:

We’re running mastodon 2.7.3 on Debian Stretch


#2

my GUESS is that this is a consequence of the security restrictions that are in place to prevent localhost rebinding attacks, where mastodon is tricked into sending a payload to an arbitrary program over the loopback interface. if those two hosts (social.anoxion.de and anoxion.de) are both on the same physical server, then this is unfortunately expected behavior.


#3

Thanks for your guess, @nightpool. The Mastodon instance and the anoxinon.de website are on different Virtual Machines, but on the same private network (same subnet). So this shouldn’t be an issue.


closed #4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.