> On Jan 7, 2019, at 17:18, Bert JW Regeer <[email protected]> wrote: > > > >> On Jan 7, 2019, at 16:29, Jonathan Vanasco <[email protected] >> <mailto:[email protected]>> wrote: >> >> >> >> On Monday, January 7, 2019 at 5:00:43 PM UTC-5, Jonathan Vanasco wrote: >> >> It would be nice if that functionality could be implemented as middleware >> when not running the waitress server. >> >> This release broke our dev systems from the wsgi manipulation. The issue was >> this line to the nginx config from the instructions: >> >> proxy_set_header X-Forwarded-Host $host:$server_port; >> >> While the the `:$server_port` bit appears in many tutorials and docs on some >> projects, it isn't part of a standard or a standard/requirement. Even >> nginx's official docs has conflicting usage patterns with it: > > $server_port is only required if you are not using a default port, so that > the `X-Forwarded-Host` contains the port number. Browsers by default will > already send a host header like this: > > Host: example.com:8080 <http://example.com:8080/> > > If the URL is: > > https://example.com:8080/ <https://example.com:8080/> > > I am not sure if NGINX forwards the port with the host in the $host variable > or not. I can remove it from the docs.
According to https://stackoverflow.com/questions/15414810/whats-the-difference-of-host-and-http-host-in-nginx <https://stackoverflow.com/questions/15414810/whats-the-difference-of-host-and-http-host-in-nginx> $host does not include the port number. > >> >> * https://www.nginx.com/resources/wiki/start/topics/examples/likeapache/ >> <https://www.nginx.com/resources/wiki/start/topics/examples/likeapache/> >> * https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/ >> <https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/> >> >> I can't tell if that bit was required by your code. It doesn't look like it >> is required (via `task.py` lines 531+) but perhaps a warning about that >> would help. >> >> Sidenote: it looks like the strip on line 680 may be better placed just >> above the immediate conditional >> >> >> - if forwarded_host: >> - >> - forwarded_host = forwarded_host.strip() >> >> # might be better as... >> >> + forwarded_host = forwarded_host.strip() >> + if forwarded_host: >> >> > > It's already been stripped way before that line ever happens. That extra > strip() can be removed. > >> >> My initial feeling on this release is that I dislike this implementation. >> This approach will create a lot of added complexity for those who use >> waitress for Pyramid in development BUT run other servers in Production >> and/or Staging - we now have to deal with a deploying something where >> Waitress inherently takes control of this portion of wsgi manipulation in >> one environment, but is not run at all in other environments. > > So don't use waitress for this... continue to use your WSGI middleware that > you are already using, and completely ignore the existence of this > functionality. I would also argue that in development you likely aren't using > a reverse proxy server, but even if you are, why are you using a different > WSGI server in development than what you run in production when they may have > entirely different behaviours or startup requirements. > >> >> IMHO, it would be really nice if... >> >> 1. this happened within Pyramid (not likely to happen, I know) > > Nope. > >> or >> 2. this functionality were exposed as a callable, so other deployments can >> invoke it. This will still create some pain in maintaining dual deployment >> logics, but invoking waitress's logic would ensure parity. > > I may end up writing some middleware and putting it in WebOb, but I haven't > gotten that far yet. > > Also, once again, you are not required to use waitress for this > functionality. You may set: > > clear_untrusted_proxy_headers = False > > in development so you don't receive the warning (in the future this flag will > be set to True by default, and Waitress will strip proxy headers), and > Waitress will happily pass through all the headers into your WSGI environment > just like before, as if this functionality does not exist. > >> >> Finally... >> >> for the docs... if using an ini file, the syntax is; >> >> [server:main] >> use = egg:waitress#main >> host = 127.0.0.1 >> port = 5020 >> trusted_proxy = 127.0.0.1 >> trusted_proxy_headers = x-forwarded-for x-forwarded-host x-forwarded-proto >> x-forwarded-port >> >> >> >> using a quoted format from the current docs will generate an error: >> >> trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto >> x-forwarded-port" >> >> > > Waitress does not inherently support ini or any other config files. Using > quotes is valid for python kwargs that you pass to waitress.serve. Since ini > is not directly supported or used by waitress, I will continue to document > using standard Python syntax. > >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "pylons-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <mailto:[email protected]>. >> To post to this group, send email to [email protected] >> <mailto:[email protected]>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/pylons-discuss/01761583-c857-412f-80c3-117c6af4f82c%40googlegroups.com >> >> <https://groups.google.com/d/msgid/pylons-discuss/01761583-c857-412f-80c3-117c6af4f82c%40googlegroups.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To post to this group, send email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/pylons-discuss/CC8D499E-7ADE-46DA-B9D9-DD198F2B93F9%400x58.com > > <https://groups.google.com/d/msgid/pylons-discuss/CC8D499E-7ADE-46DA-B9D9-DD198F2B93F9%400x58.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/B031923E-4B94-45DD-A4DB-3B0E9A2B64EB%400x58.com. For more options, visit https://groups.google.com/d/optout.
