Accept server connections from any origin

[mrocklin]

I get errors like the following from my bokeh server application:

bokeh.server.views.ws - ERROR - Refusing websocket connection from Origin 'http://127.0.0.1:8789';                       use --allow-websocket-origin=127.0.0.1:8789 to permit this; currently we allow origins {'localhost:8789'}

There may be two problems here:

1. (minor) localhost is often synonymous with 127.0.0.1. It might be good to whitelist 127.0.0.1 generally.
2. (major) I have started my Bokeh server with the argument Server(..., host=['*']) which in previous versions ensured that my server could be accessed regardless of what the caller called my server address.

The second point is more important to me (and to others). It is critical in many applications to be able to robustly view a bokeh server even if we don't know, at the time of setting up the server, what that server's address will be. This was the intent of #4052

In [2]: bokeh.__version__
Out[2]: '0.12.5dev15'

[bryevdv]

@mrocklin in 0.12.5 the host argument is no longer needed, and is now completely ignored. (It hasn't been completely removed, so as not to break people's code unnecessarily) See

#5979

What you may possibly need if you are running the server programmatically, and using autoload_server to embed the output into a page from some other app server (e.g. a Flask page), is to pass relative_urls=False:

https://github.com/bokeh/bokeh/blob/master/examples/howto/server_embed/flask_embed.py#L42

So I'm not sure what you are asking for with bullet 2? The message you are seeing is purely about ws connections, and not at all about host whitelisting (which does not happen anymore at all, we scrubbed the codebase of any use of request.host so it is no longer a necessary precaution)

I think adding both localhost and 127.0.0.1 could be simple and reasonable tho I am not aware of any recent change that could cause bokeh to care about the distinction. It would be good to know what if any change in bokeh precipitated this.

[mrocklin]

I'm not using any other system like Flask. I'm only using Bokeh. Here is how I start bokeh servers:

https://github.com/dask/distributed/blob/master/distributed/bokeh/core.py#L18-L25

                self.server = Server(self.apps, io_loop=self.loop,
                                     port=port, address=ip, host=['*'],
                                     check_unused_sessions_milliseconds=500,
                                     )
                    self.server.start()

[mrocklin]

Then, when I connect to my server from a web browser using a hostname like myhostname:myport/mypage things fail unless myhostname is set to localhost.

[mrocklin]

@bryevdv and I chatted about this privately. On my side I can add allow_websocket_origin=["*"] to my application. Bokeh may dump the old hosts= keyword into allow_websocket_origin= to facilitate a smoother transition if developer time allows.

My fix in Dask is here: dask/distributed#957

[bryevdv]

After discussion with @mrocklin the problem was discovered. Previously --host=* updated the host whitelist, but it also updated the allow_websocket_origin as a side effect. Now that it is completely ignored, anything that relied on --host=whatever to allow ws connections too, will have a probelm.

So the proposal is this:

Don't completely ignore host. But simply immediately transfer its contents to the allow_websocket_origin so that old usages will not break. The deprecation message should be updated to reflect that --allow_websocket_origin may now be explicitly needed.

[bryevdv]

@bokeh/dev this seems important I intend to try to make a very small PR for it