Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added any as valid value for the trusted_proxy adjustable #224

Merged
merged 2 commits into from
Dec 13, 2018

Conversation

Estartu
Copy link
Contributor

@Estartu Estartu commented Dec 12, 2018

Backgound is when waitress is running inside a container, any
request is originates from the gateway of the container network, not
from the outside ip. The container network changes every time the
container is restarted to a random new network number. So setting one
IP as trusted_proxy isn't possible but still needed as most of the time
an reverse proxy is between the client an the container. So if it's
ensured that only requests from the reverse proxy can reach the
container, trusting any host is not a problem.

Backgound is when waitress is running inside a container, any
request is originates from the gateway of the container network, not
from the outside ip. The container network changes every time the
container is restarted to a random new network number. So setting one
IP as trusted_proxy isn't possible but still needed as most of the time
an reverse proxy is between the client an the container. So if it's
ensured that only requests from the reverse proxy can reach the
container, trusting any host is not a problem.
@digitalresistor
Copy link
Member

I would prefer not to use something that could potentially be a valid remote_peer. I would accept this if it was changed to use * instead.

@Estartu
Copy link
Contributor Author

Estartu commented Dec 13, 2018

remote_peer is a IP address and any is neither a valid ipv4 nor ipv6 address. I don't see a potential mixup. But i have no problem in changing it. I will update the pull request shortly.

@digitalresistor
Copy link
Member

remote_peer may also be set to localhost for instance in the unix socket case. There was also a case whereby remote_peer may go through a reverse DNS lookup which could potentially return a hostname, but I may be mistaking that with the address we listen to.

Either way, thank you for changing it.

@digitalresistor digitalresistor merged commit 01ae680 into Pylons:master Dec 13, 2018
digitalresistor added a commit that referenced this pull request Dec 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants