Обсуждение: Re: [PATCH] pgarchives: Add host option for pglister_sync
On Thu, Jan 23, 2025 at 3:48 PM Célestin Matte <celestin.matte@cmatte.me> wrote:
This patch makes it possible to define a 'host' parameter in order to override the Host header, to be able to properly query localhost.
Context:
I want to set up HTTP auth for a deployment of pgarchives.
In order for pglister_sync to keep working, I need to either authenticate, or disable authentication for localhost.
When using external URL, the request gets routed to apache using the server's external IP, which makes the 'localhost' whitelist fail.
I prefer using the solution over authenticating, as it ensures queries get directly routed to localhost in the process.
Hi!
What "localhost whitelst" are you referring to here?
As for the patch, it seems like a really bad idea to silently turn off https validation when you specify a hostname. Surely those are completely independent things?
I honestly don't understand your described workload... Is your goal to have http auth on all URLs except the /api/archive/<name>/lists/ endpoint from localhost? Surely that's a matter of apache config rather than patching the client?
And if you just want to change the hostname, can't you just edit the URL?
//Magnus
> What "localhost whitelst" are you referring to here?
I set up http auth and disable it in the virtualhost for localhost:
<Location />
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Require local
</Location>
(This is what I called "whitelisting localhost")
> As for the patch, it seems like a really bad idea to silently turn off https validation when you specify a hostname.
Surelythose are completely independent things?
urllib will display a warning if you use a Host header different from the URL
> I honestly don't understand your described workload... Is your goal to have http auth on all URLs except the
/api/archive/<name>/lists/endpoint from localhost? Surely that's a matter of apache config rather than patching the
client?
I want to have http auth for everyone except localhost.
I may not have chosen the best way to do that. Do you see a better way to handle this?
> And if you just want to change the hostname, can't you just edit the URL?
No because I have several domains on localhost. Apache needs to somehow (with the Host header) know which one is
wanted.
As specified, I also had a problem with these frequent localhost requests being resolved externally.
--
Célestin Matte
On Thu, Jan 23, 2025 at 9:36 PM Célestin Matte <celestin.matte@cmatte.me> wrote:
> What "localhost whitelst" are you referring to here?
I set up http auth and disable it in the virtualhost for localhost:
<Location />
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Require local
</Location>
(This is what I called "whitelisting localhost")
I haven't configured apache in anger in many many years, but I assume what you're trying to do is exclude it from basic auth, but have basic auth on the rest? Surely there must be a way to do just that?
> As for the patch, it seems like a really bad idea to silently turn off https validation when you specify a hostname. Surely those are completely independent things?
urllib will display a warning if you use a Host header different from the URL
And for very good reasons, because you've removed an important part of the https security!
> I honestly don't understand your described workload... Is your goal to have http auth on all URLs except the /api/archive/<name>/lists/ endpoint from localhost? Surely that's a matter of apache config rather than patching the client?
I want to have http auth for everyone except localhost.
I may not have chosen the best way to do that. Do you see a better way to handle this?
Per above, I don't know how to configure things in apache. But excluding auth on localhost is definitely something I've done many times on other platforms.
ISTM that this should be a question for someone who knows apache configuration, rather than a patch to lower the security of the pglister code.
> And if you just want to change the hostname, can't you just edit the URL?
No because I have several domains on localhost. Apache needs to somehow (with the Host header) know which one is wanted.
Differentiating hosts on https is something SNI has been used for for many years. That seems to be the appropriate solution here as well, if you absolutely need to use https on localhost? (There are things that require that, such as access to browser camera, but I don'pt see how any of that would apply to a pglister API call, so it seems easie rto just not encrypt localhost traffic?)
Bottom line is this really sounds like a server side issue in the apache configuration, and should be solved there.
> And for very good reasons, because you've removed an important part of the https security! Which makes sense and is hardly exploitable in that case since we're talking about local traffic > Differentiating hosts on https is something SNI has been used for for many years. That seems to be the appropriate solutionhere as well, if you absolutely need to use https on localhost? (There are things that require that, such as accessto browser camera, but I don'pt see how any of that would apply to a pglister API call, so it seems easie rto justnot encrypt localhost traffic?) Problem is that requests made to the domain will be received as coming from the server's external IP address, which makesit difficult to detect it as local traffic (unless hardcoding this IP address in apache's config) > Bottom line is this really sounds like a server side issue in the apache configuration, and should be solved there. Yes, I ended up adding the target domain to /etc/hosts so that it resolves to 127.0.0.1 or ::1, which is a much simpler solution.Thanks for the inputs, they made me consider things differently! This patch can be forgotten. Please let me kindly remind that many other patches are waiting for integration and I listed their state here: https://www.postgresql.org/message-id/6fc41ae5-f547-4cbd-a2d5-54ad75e33fe5@cmatte.me -- Célestin Matte