set ForwardedAllowIPS via cli

[georgexsh]

set ForwardedAllowIPS option via cli --forwarded-allow-ips
example:

exec gunicorn \
--bind=192.168.11.1:8080 \
--forwarded-allow-ips='*'

[wong2]

🍺

[tonicmuroq]

🍻

[benoitc]

Sorry for the delay to handle that patch . It's related to #633. I am not quite sure what to do at the moment, we should probably use th real remote. Hopefully @davisp @tilgovi have an idea on that too.

[georgexsh]

@benoitc problem addressed in #633 is whether override REMOTE_ADDR,
but here the main influence of option forwarded_allow_ips is the behavior of reading cfg.secure_scheme_headers,
as I do not think those two issues are connected.

[benoitc]

@georgexsh well if we use the remote address then we should probably make some naming change like --allows-remote-ip=* since you will get the remote address, isn't it?

[georgexsh]

@benoitc I dont quite get your point ..
the "remote address" used for checking with forwarded_allow_ips, is read from socket, not from headers

[benoitc]

@georgexsh OK so just to be clear we are right now parsing this forward headers to construct the remote address. Which is apparently against the spec. We don't need to parse the if we just collect the remote address from the client (except maybe when using a unix socket).

If I understand well you are using it to filters the client that connect to you app. At this point I wonder if it should be done at the server level or at the the application level.

If we do it at the server level, the it may be relevant to have an option to check all remotes ips. the one coming as a remote ip and the one in the forward headers. That why I was speaking about that change.

Will see what we decide later in the day.

[georgexsh]

@benoitc your latest explanation confused me even deeper ...

we are right now parsing this forward headers to construct the remote address

yes for REMOTE_ADDR, but no for this case
client[0] not in cfg.forwarded_allow_ips link
and client is produced via client, addr = sock.accept()
when we need set forwarded_allow_ips, the "client" would not be the real user-agent, but a reverse proxy.
the influence is whether guncorn reads secure_headers or not.

you are using it to filters the client that connect to you app

not for my app, but wsgi spec: wsgi.url_scheme, which gunicorn should set.

[benoitc]

@georgexsh you're right I'm just confused with the option name right now. I really think it should something else. not sure what. Maybe it should ne remote_allow_ips instead? I'm +1 to merge your patch anyway. Will do it tomorrow.

[georgexsh]

ping @benoitc

[benoitc]

applied thanks :)

On Thu, Dec 26, 2013 at 11:59 AM, georgexsh notifications@github.51.alwrote:

ping @benoitc https://github.com/benoitc

—
Reply to this email directly or view it on GitHubhttps://github.com//pull/642#issuecomment-31217954
.