Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docs: clarify how to use proxy-headers with unix sockets #713

Closed
PeterJCLaw opened this issue Jul 10, 2020 · 2 comments · Fixed by #796
Closed

Docs: clarify how to use proxy-headers with unix sockets #713

PeterJCLaw opened this issue Jul 10, 2020 · 2 comments · Fixed by #796
Labels
docs Improve documentation

Comments

@PeterJCLaw
Copy link
Contributor

It would be great if it could be documented that when using a unix socket the client address which ProxyHeadersMiddleware gets will be None and that you therefore need to pass * as the trusted hosts to get the proxy headers to work.

Even better would be for the proxy headers to "just work" when using a unix socket, in the same way that ProxyHeadersMiddleware trusts localhost by default, though I suspect that may be more involved.
@euri10 euri10 added the docs Improve documentation label Sep 29, 2020
@euri10
Copy link
Member

euri10 commented Sep 29, 2020

would be a good addition yes, PR welcome @PeterJCLaw :)

@PeterJCLaw
Copy link
Contributor Author

So I had a quick look into the internals here and I can't see an easy way to be confident in the middleware that the connection is a unix socket.

I think that ideally we'd get something in scope['client'] which would tell us that, however the ASGI spec defines that value to be either a 2-tuple (host, port) or None which kinda rules that out.
While uvicorn does pass None there for a unix socket, it seems to also be the case that various error conditions in uvicorn.protocols.utils.get_remote_addr could cause it to be None for other reasons. Certainly as this is somewhat security sensitive I think I'd want to have actively determined that we're looking at a unix socket, rather than merely not a happy-path network socket.

scope['server'] might hold more promise, though uvicorn.protocols.utils.get_local_addr also seems to have some soft fallback logic which I'm unsure of.

Is there something I'm missing here which might make this possible, or is documenting the behaviour the only solution? (I'm happy to look at doing that anyway, just would be nice for it to work automatically)

PeterJCLaw added a commit to PeterJCLaw/uvicorn that referenced this issue Oct 3, 2020
@PeterJCLaw
Note the need to configure trusted "ips" when using unix sockets
21f7c99 
It is unfortunately non-obvious that when using an unix socket,
clients connecting to that socket are not trusted as a source
of headers for proxying to the underlying application.

Fixes encode#713
PeterJCLaw added a commit to PeterJCLaw/uvicorn that referenced this issue Oct 3, 2020
@PeterJCLaw
Note the need to configure trusted "ips" when using unix sockets
7abe28a 
It is unfortunately non-obvious that when using an unix socket,
clients connecting to that socket are not trusted as a source
of headers for proxying to the underlying application.

Fixes encode#713
@PeterJCLaw PeterJCLaw mentioned this issue Oct 3, 2020
Merged
euri10 pushed a commit that referenced this issue Oct 4, 2020
@PeterJCLaw
Note the need to configure trusted "ips" when using unix sockets (#796)
a504c56 
It is unfortunately non-obvious that when using an unix socket,
clients connecting to that socket are not trusted as a source
of headers for proxying to the underlying application.

Fixes #713
cr313 added a commit to cr313/py-project-uvicorn that referenced this issue Apr 19, 2024
@cr313
Note the need to configure trusted "ips" when using unix sockets (#796)
47765be 
It is unfortunately non-obvious that when using an unix socket,
clients connecting to that socket are not trusted as a source
of headers for proxying to the underlying application.

Fixes encode/uvicorn#713
Kludex pushed a commit to Kludex/jik that referenced this issue Aug 14, 2024
@PeterJCLaw
Note the need to configure trusted "ips" when using unix sockets (#796)
d6d2279 
It is unfortunately non-obvious that when using an unix socket,
clients connecting to that socket are not trusted as a source
of headers for proxying to the underlying application.

Fixes encode/uvicorn#713
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs Improve documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Note the need to configure trusted "ips" when using unix sockets PeterJCLaw/uvicorn
2 participants
@PeterJCLaw @euri10