Bind admin UI to 0.0.0.0

[ScyDev]

Bind admin UI to 0.0.0.0 to allow Docker containers to properly forward to that port.

What does it do?

Binding port 8000 to 0.0.0.0 instead of localhost.

Why is it needed?

In order for Docker containers to be able to forward to that port. Docker can't forward to ports that are bound to localhost.

Related issue(s)/PR(s)

None.

[codecov]

Codecov Report

Merging #8573 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #8573   +/-   ##
=======================================
  Coverage   33.25%   33.25%           
=======================================
  Files        1221     1221           
  Lines       13636    13636           
  Branches     1359     1359           
=======================================
  Hits         4535     4535           
  Misses       8217     8217           
  Partials      884      884           

Flag	Coverage Δ
front	24.70% <ø> (ø)
unit	54.63% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6455734...37842a6. Read the comment docs.

[derrickmehaffy]

@strapi/maintainers Is this needed since the user can configure it via the ./config/server.js ?

[ScyDev]

@derrickmehaffy I would ask if there is a good reason why it should only bind to localhost in dev mode?

[derrickmehaffy]

@derrickmehaffy I would ask if there is a good reason why it should only bind to localhost in dev mode?

I would say security and typical standard practice, the assumption generally being if you are working on something in a development mode it runs locally in a sheltered environment.

I do understand why you need it to bind to the docker interface, but that's why we have the config option. (Which can also be set by environment variables)

[ScyDev]

@derrickmehaffy Ok, I can live with the config option. But leaves me wondering, why would that be a security concern for the local, sheltered dev environment, but then for production it binds to 0.0.0.0 by default?

[derrickmehaffy]

@derrickmehaffy Ok, I can live with the config option. But leaves me wondering, why would that be a security concern for the local, sheltered dev environment, but then for production it binds to 0.0.0.0 by default?

You have far more control over the environment your deploying in (and we had issues with users not reading the docs when deploying to Heroku and other PaaS services).

Where as it's certainly not uncommon for you to be in a coffee shop on public WiFi to just be broadcasting an insecure application all over it.

Docker itself has had issues with blowing holes in Linux/Mac firewalls if you don't explicitly set it to only bind on 127.0.0.1 on the host.

But the same applies here as it does in your case, there are configuration options and all can be set by environment variables.

[derrickmehaffy]

I'm going to mark the PR as closed as I think the topic has been discussed enough to where we don't need this change.

[ScyDev]

Agreed, thanks for the discussion.

[derrickmehaffy]

This pull request has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/missing-open-the-administration-button-when-running-locally/9455/8