Error running query: Can't query private addresses

Hi,

I am trying to call a PRTG API with built in authentication in the URL using the JSON Data Source. I have added the new Data Source with the correct URL and authentication, through the settings. When trying to run a query on the URL, i get this error: Error running query: Can’t query private addresses.

I tried to follow the JSON & URL guide, but i keep getting that error. It also happens when i add the url: https://xxx.xx:someport/jsonApi

Can i setup this in another way or change how i call the URL? When i enter the URL in my browser i get all the data from PRTG as a JSON response.

Thanks in advance :slight_smile:

1 Like

I tried changing the URL to this: https%3A%2F%2Fxxx.xx:someport/jsonApi - then i get this error: Error running query: gethostbyname() argument 1 must be string, not None I guess that only worked for the old URL Data Source?

How did you install Redash?

I used the docker image as described in the documentation :slight_smile:

1 Like

Gotcha. That explains the private address issue. Redash is running in a private network via Docker Compose. Which is why the JSON data source filters out private IP addresses.

You need to add a routing rule to your Docker configuration that passes traffic to and from PRTG.

Well that might sound like a solution for the issue. Do you happen to know, how to implement this routing rule? Or know a place, where i can figure out how to do it? :slight_smile:

Actually the filtering/check happens in the Query Runner implementation:

This is to avoid people using the JSON data source to access information they are not supposed to, like AWS metadata API.

Happy to accept a PR that makes this behavior configurable with an environment variable. Just note that if you disable this check, you need to trust whoever you allow running queries in your system.

2 Likes

Well, a little confused :slight_smile:

Should i go for the method @jesse told me with the private networking or look into changing the environment variable?

What @jesse mentioned won’t help, as this is not a setup/Docker issue, but rather an intentional filter in our code.

And just to clarify: there is no environment variable to control this behavior, I was just suggesting adding one.

Ahh okay, then i get it. So, my question is now - how can I add this environment variable in order to control that behavior? I am the only user, so no chance of any users executing stuff they should not execute :slight_smile:

@arikfr I think he could just comment out those Python lines.

Sort of: he needs to build a new Docker image or mount the updated file into his Docker image.

Something along the lines of:

  1. Take redash/query_runner/json_ds.py and modify it to support private addresses (i.e. remove lines 180-181).
  2. Place the file in /opt/redash (or wherever).
  3. Update docker-compose.yml to mount a volume of this file and place it in /app/redash/query_runner/json_ds.py.
1 Like

Thank you very much @arikfr, i will try what you suggest and let you guys know what i ended up with. :slight_smile:

Hi,

Could you please give an example of the docker-compose file? I tried following and it doesn’t work.

I am not an expert on docker and not able to find the right syntax for me to use.

services:
server:
<<: *redash-service
command: server
ports:
- “5000:5000”
environment:
REDASH_WEB_WORKERS: 4
volumes:
- ./json_ds.py:/app/redash/query_runner/json_ds.py

Here seems to be an undocumented configuration for this already in the latest release@v10.0.0:
REDASH_ENFORCE_PRIVATE_IP_BLOCK
See code: redash/redash/settings at 143d22db04a9058966b8c7d678b06f228b937326 · getredash/redash · GitHubinit.py#L80

Good syntax. Need to check rights of this file, must be same userid as inside container (1000 ?).
And after, still not working on my side because file is mounted to late and is not the one used at startup (restart nginx container only has no effect). But when going inside container + cat the file, it’s the good version.

Hello,
when I address an external API with the JSON connection, I get the error message:
“Error running query: Proxies cannot be used with Advocate”.

Is this problem also related to the “REDASH_ENFORCE_PRIVATE_IP_BLOCK” setting?

many thanks