Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add ::1 to default forwarded-allow-ips

See original GitHub issue

Checklist

The bug is reproducible against the latest release and/or master.
There are no similar issues or pull requests to fix it yet.

Describe the bug

--forwarded-allow-ips currently defaults to 127.0.0.1. It should default to ::1,127.0.0.1 as it’s the year 2021.

To reproduce

Inspect the request object with the default --forwarded-allow-ips.

Expected behavior

For --forwarded-allow-ips to default to ::1,127.0.0.1.

Actual behavior

--forwarded-allow-ips defaults to 127.0.0.1.

Debugging material

None.

Environment

OS / Python / Uvicorn version: just run uvicorn --version Running uvicorn 0.12.3 with CPython 3.7.3 on Linux
The exact command you’re running uvicorn with, all flags you passed included. If you run it with gunicorn please do the same. If there is a reverse-proxy involved and you cannot reproduce without it please give the minimal config of it to reproduce. /opt/clusterapi/bin/python3.7 /opt/clusterapi/bin/uvicorn --host :: --port 5000 app.main:app --workers 9 --proxy-headers

Additional context

None.

Issue Analytics

State:
Created 2 years ago
Comments:9 (4 by maintainers)

Top GitHub Comments

1reaction

euri10commented, Nov 19, 2021

–forwarded-allow-ips currently defaults to 127.0.0.1. It should default to ::1,127.0.0.1 as it’s the year 2021.

most server I’m familiar with use ipv4 for the proxy headers defaults, at least gunicorn I’m pretty sure of it. is there a good argument appart from it’s the year 2021 ? happy to re-open of course if there is !

0reactions

WilliamDEdwardscommented, Nov 19, 2021

iirc you could bypass ipv4 firewalls with ipv6 traffic, that may be old but this was not a bad idea at all On Fri, Nov 19, 2021 at 2:33 PM William Edwards @.> wrote: … I do that on all my boxes, dunno if it is common or not, but the most sensible default is imho that we’re sure that ipv4 is enabled. Curious about what others may think about this 😃 … <#m_-5475762193031936881_> On Fri, Nov 19, 2021 at 2:28 PM William Edwards @.> wrote: what if the box you’re on doesnt have ipv6 enabled ? the sensible default becomes less sensible That means the user would’ve had to gone out of their way to explicitly disable IPv6 using sysctl. I don’t think that’s common. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe. OT: It doesn’t hurt to have IPv6 enabled. Even if you don’t configure an IPv6 address yourself. Setting net.ipv6.conf.all.disable_ipv6=0 or similar is a bad idea, end of story. — You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub <#1245 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAINSPWOBT3H3W4O6QHDNL3UMZG25ANCNFSM5HYFKAYA .

How are you going to receive external, firewallable traffic on a loopback interface? Or disable SLAAC.

Top Results From Across the Web

Forwarded IP address - AWS WAF, AWS Firewall Manager ...

This section applies to rule statements that use the IP address of a web request. By default, AWS WAF uses the IP address...

Settings — Gunicorn 20.1.0 documentation

Command line: --forwarded-allow-ips STRING. Default: '127.0.0.1'. Front-end's IPs from which allowed to handle set secure headers. (comma separate).

K7595: Overview of IP forwarding virtual servers - AskF5

Using the Forwarded header - NGINX

Traditionally, an HTTP reverse proxy uses non-standard headers to inform the upstream server about the user's IP address and other request properties:.

Settings - Uvicorn

--forwarded-allow-ips Comma separated list of IPs to trust with proxy headers. Defaults to the $FORWARDED_ALLOW_IPS environment variable if available, ...