Mattermost, Inc.

Error app/webhook.go:110 address forbbiden

Summary

I am using dockers mattermost-preview image, and I am trying to connect it with a RASA bot, but when sending a message I get the following error in the log:
{“level”:“error”,“ts”:1585045803.1958508,“caller”:“app/webhook.go:110”,“msg”:“Event POST failed.”,“error”:“Post http://localhost:5005/webhooks/mattermost/webhook: address forbidden, you may need to set AllowedUntrustedInternalConnections to allow an integration access to your internal network”}

I already added localhost to AllowedUntrustedInternalConnections but still keep getting this error.

In the bot server I am not receiving anything.

Steps to reproduce

Run dockers mattermost-preview image, set up a bot account and an outgoing webhook, declare mattermost url, bot username, token and webhook url in RASA credentials.yml file.

Expected behavior

I updated the config.json file and added localhost into AllowedUntrustedInternalConnections and I would expect to at least get a message in the RASA log, but I keep getting the address forbidden message.

Observed behavior

When sending a message to a group where the bot is a member using ‘@botname’ and the message I get the error message I pasted in the summary above. Also when trying to send a direct message to it I get no response or error message. I am using https://localhost:8065/teamName/api/v4, the name of the bot as user, the bot token and https://localhost:8065/webhooks/mattermost/webhook as the webhook url. For the outgoing webhook in mattermost I am using http://localhost:5005/webhooks/mattermost/webhook, this is the RASA server address for the bot.

Hey Daniel,
can you enable insecure outgoing connections and try again? Environment -> Webserver

Hi Marco,
I have it enabled, but keep getting the error.

Hi @danielha23,

Add localhost to the Allow Untrusted Internal Connections To setting. For security, Mattermost prevents connections to local domains - 127.0.0.1, 192. and 10. networks, and domains that resolve to those IP addresses - from webhooks, slash commands and other actions users can take. So if you want a webhook to go to one of those IP addresses you need to add it there.

Note to self: Always read the whole thread

Hi @paulrothrock,

So then I have to add the complete webhook address? Because I already have added the localhost as an Allowed Untrusted Internal Connection.

Sorry, I missed that. :man_facepalming: I’ll replicate it and file a bug ticket

@danielha23

In my replication environment I set the Allow Untrusted Internal Connections to 127.0.0.1 localhost and my webhook was working. If that doesn’t work, what version of Mattermost are you using?

@paulrothrock

image

I just added like that but I keep getting the error. I have dockers mattermost-preview image, it is version 5.18.0-rc1

I just tried it using the Mattermost Preview image. With the default setting for Allow Untrusted Internal Connections - "" - I got the same error you saw. When I set it to 127.0.0.1 localhost I received this error:

{"level":"error","ts":1585095118.2333198,"caller":"app/webhook.go:110","msg":"Event POST failed.","error":"Post http://localhost:5005/webhook: dial tcp 127.0.0.1:5005: connect: connection refused"}

This shows that it was able to attempt the connection and wasn’t filtered because it was directed to an internal address. (My docker image isn’t set up to access my host and I don’t have a service running on port 5005 on the docker machine.) I also have EnableInsecureOutgoingConnections set to false.

Can you verify that Allow Insecure Connections is set to the correct values in the System Console?