Peertube Federation error: The IP of the domain is reserved

Hello!
Deployed 2 Peertube instances (on-premise, not pulished to Internet) in our local network and can’t cross-federate them. Receiving an error.

After executing such command against peertube.log:
cd /var/www/peertube/peertube-latest && sudo -u peertube NODE_CONFIG_DIR=/var/www/peertube/config NODE_ENV=production npm run parse-log – --level debug --not-tags http sql

I see an error after trying to add « Following » in « Federation »:
[mediaserver-02.domain.local:443] 7/31/2025, 11:25:24 AM.906 warn: Do not follow peertube@mediaserver-01.domain.local:443 because we could not find the actor URL (in database or using webfinger) {
« err »: {
« stack »: « RequestError: The IP of the domain is reserved!\n at Request._beforeError (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:189:21)\n at Request.flush (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:178:18)\n at protect (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got-ssrf/dist/index.js:57:15)\n at async Request._makeRequest (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:823:28)\n at async Request.flush (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:164:13) »,
« name »: « RequestError »,
« requestHeaders »: {
« user-agent »: « PeerTube/7.2.3 (+https://mediaserver-02.domain.local) »,
« date »: « Thu, 31 Jul 2025 06:25:24 GMT »,
« accept »: « application/json »,
« accept-encoding »: « gzip, deflate, br »
},
« requestUrl »: « https://mediaserver-01.domain.local/.well-known/nodeinfo »,
« requestMethod »: « GET »
}
}

mediaserver-01.domain.local:443 ← NETWORK is OK → mediaserver-02.domain.local:443
This two servers can to resolve themselves properly by DNS-server.

Could you please help to understand, what means this error.

Found that this text message (‹ The IP of the domain is reserved ›) is from /var/www/peertube/peertube-latest/node_modules/got-ssrf/dist/index.js:

    // Another layer of protection against SSRF - ensure we're not hitting internal services.
    // Try to match "reserved" IP ranges: https://en.wikipedia.org/wiki/Reserved_IP_addresses
    // https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html#case-2-application-can-send-requests-to-any-external-ip-address-or-domain-name
    // The function returns 'unicast' or the name of the reserved IP range, should it match any.
    // This in effect blocks all private IP Range: https://git.io/JWy3u, https://git.io/JWy3b
    // We use ip.process() here to deal with potentially IPv4-mapped IPv6 addresses (which will show up as "ipv4mapped"
    // and not the whatever range the actual IPv4 address actually belongs to).
    if (ip.process(IP).range() !== 'unicast')
        throw new Error('The IP of the domain is reserved!');

As I understood my hosts not passing SSRF check…
How to ‹ whitelist › them? My hosts have ips from different subnets.

Hello,

Update prevent_ssrf in your config: PeerTube/config/default.yaml at develop · Chocobozzz/PeerTube · GitHub

1 « J'aime »

Hello! Thanks, it helps!

But receiving next error in one of instances now:

{
  "err": {
 "stack": "RequestError: self-signed certificate in certificate chain\n at ClientRequest.<anonymous> (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:673:107)\n at Object.onceWrapper (node:events:639:26)\n at ClientRequest.emit (node:events:536:35)\n at emitErrorEvent (node:_http_client:101:11)\n at TLSSocket.socketErrorListener (node:_http_client:504:5)\n at TLSSocket.emit (node:events:524:28)\n at emitErrorNT (node:internal/streams/destroy:169:8)\n at emitErrorCloseNT (node:internal/streams/destroy:128:3)\n at process.processTicksAndRejections (node:internal/process/task_queues:82:21)\n at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)\n at TLSSocket.emit (node:events:524:28)\n at TLSSocket._finishInit (node:_tls_wrap:1076:8)\n at ssl.onhandshakedone (node:_tls_wrap:862:12)",
...

Our SSL certificates are signed by internal corp CA. How I can resolve an error above in such situation?

And on another instance receiving an « Bad response: 503 » error:

[mediaserver-01.domain.local:443] 8/1/2025, 10:41:40 AM.138 warn: Do not follow peertube@mediaserver-02.domain.local:443 because we could not find the actor URL (in database or using webfinger) {
  "err": {
 "stack": "RequestError: Bad response: 503\n at ClientRequest.<anonymous> (file:///var/www/peertube/versions/peertube-v7.2.3/node_modules/got/dist/source/core/index.js:673:107)\n at Object.onceWrapper (node:events:622:26)\n at ClientRequest.emit (node:events:519:35)\n at emitErrorEvent (node:_http_client:104:11)\n at _destroy (node:_http_client:898:9)\n at onSocketNT (node:_http_client:918:5)\n at process.processTicksAndRejections (node:internal/process/task_queues:91:21)\n at ClientRequest.<anonymous> (file:///var/www/peertube/versions/peertube-v7.2.3/dist/core/helpers/hpagent.js:100:26)\n at Object.onceWrapper (node:events:622:26)\n at ClientRequest.emit (node:events:507:28)\n at Socket.socketOnData (node:_http_client:598:11)\n at Socket.emit (node:events:507:28)\n at addChunk (node:internal/streams/readable:559:12)\n at readableAddChunkPushByteMode (node:internal/streams/readable:510:3)\n at Readable.push (node:internal/streams/readable:390:5)\n at TCP.onStreamRead (node:internal/stream_base_commons:189:23)",
 "name": "RequestError",
 "requestHeaders": {
   "user-agent": "PeerTube/7.2.3 (+https://mediaserver-01.domain.local)",
   "date": "Fri, 01 Aug 2025 05:41:40 GMT",
   "accept": "application/json",
   "accept-encoding": "gzip, deflate, br",
   "host": "mediaserver-02.domain.local"
 },
 "requestUrl": "https://mediaserver-02.domain.local/.well-known/nodeinfo",
 "requestMethod": "GET"
  }
}

Such many errors with local federation…(

Maybe try node.js - How to add custom certificate authority (CA) to nodejs - Stack Overflow

Helps this parameters in service load peertube.service:

Environment=NODE_EXTRA_CA_CERTS=/etc/ssl/certs/mediaserver-chain.pem
Environment=NODE_OPTIONS=--use-openssl-ca

Federation is fully worked now. Thanks a lot for help!

2 « J'aime »