it would be good to have a development option to allow this, for testing federation for example. Perhaps an allow list of specific internal domain names to allow.

GitLab has implemented a logic similar to this, where by default they block domains resolving to local networks, but having a whitelist for both domains and IPs (domains - regardless of the actual target IP)

https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30350

httpx.Client is used in about a half dozen places, and HttpSignature in a half dozen more. (Honestly, I was expecting more.)

My suggestion is to make an httpx wrapper client that encapsulates all the fedi HTTP client extensions. So far, that's:

• Signed requests (either when asked, or defaulting to the system actor)
• Locking out IP ranges (I would suggest defaulting to every range mentioned in https://en.wikipedia.org/wiki/Reserved_IP_addresses )

Future additions might include:

• HTTP/2 support
• Async support
• Tracing pass through
• Tor Onion/IPFS/etc support

My plan was to instead do all of this in https://github.com/jointakahe/taktivitypub so it's reuseable

Oh. Did you want #679?

If you can make #679 roughly net-neutral in terms of code (i.e. remove the existing signing in the same PR) that's good to me. I don't know what the timeline would be for adding into the other thing.