Skip to content

fix(middleware): exempt health probes from trusted-host check#3

Merged
galuszkm merged 2 commits into
mainfrom
fix/mg/health-check-prod
Jul 2, 2026
Merged

fix(middleware): exempt health probes from trusted-host check#3
galuszkm merged 2 commits into
mainfrom
fix/mg/health-check-prod

Conversation

@galuszkm

@galuszkm galuszkm commented Jul 2, 2026

Copy link
Copy Markdown
Member

Description

Production deployments with a restricted TRUSTED_HOSTS (no wildcard) were broken in two ways:

  1. ALB health probes rejected - target-group health checks reach the container via its private IP, so the Host header is never in TRUSTED_HOSTS. TrustedHostMiddleware returns 400, the ALB marks the target unhealthy, and the service never becomes available. Fixed by introducing HealthExemptTrustedHostMiddleware that bypasses host validation only for /health and /ready; all other requests remain strictly enforced.

  2. Docker build failing - hatchling requires LICENSE and README.md to be present when building the wheel (both are declared in pyproject.toml). Neither was copied into the builder stage.

Bonus fix: login.html referenced login.css which the Vite build never emits - changed to right one: index.css

Related Issues

N/A

Type of Change

  • Bug fix

Testing

How have you tested the change?

  • I ran uv run just check (lint + type check)
  • I ran uv run just test for overall testing
  • I added or updated tests that prove my fix is effective or my feature works
  • I verified existing examples in examples/ still work

Manual verification: started the container with TRUSTED_HOSTS set to a specific hostname (no wildcard), confirmed /health and /ready return 200 when hit by container IP, and confirmed all other paths with an untrusted Host header still receive 400.

Checklist

  • I have read the CONTRIBUTING document
  • I have updated the documentation accordingly
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

galuszkm added 2 commits July 2, 2026 21:18
-  Add HealthExemptTrustedHostMiddleware to bypass validation only
on /health and /ready. For ALB probes hitting the container by private IP - in prod we forbid wildcar on TRUSTED_HOSTS
- Fix Docker build and broken login.css reference in the login template.
@galuszkm galuszkm merged commit f4fd530 into main Jul 2, 2026
8 checks passed
@galuszkm galuszkm deleted the fix/mg/health-check-prod branch July 2, 2026 19:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant