Closed FuhuXia closed 1 year ago
rahearn
commented
1 year ago @FuhuXia I'm not sure this is going to solve the underlying issue for data.gov. The current hardcoded ports should allow traffic to all of those ports, but only all of those ports for the given allowed hosts. If you're seeing traffic being allowed to all hosts on port 80, my guess is because the catalog app has https_proxy set, but not http_proxy.
Even with that said, I'm in favor of this change.
FuhuXia
commented
1 year ago Yes, I am seeing port 80 open for all hosts, allow.acl or deny.acl has no effect on port 80 traffic. Will research on http/s_proxy.
robert-bryson
commented
1 year ago Seems like a good change. Nice work, @FuhuXia.
rahearn
commented
1 year ago @mogul and/or @btylerburton do you have thoughts on how we should do releases, since this does have a backwards-incompatible change (for at least some apps, I'd also bet that most people are only using 443)
mogul
commented
1 year ago In a few cases I've seen, it seems like folks are making copies of the tree in their own repo, so everyone's effectively forking. This was always more of an "example code" repository than a "reusable dependency" so I'm fine with just merging this and letting things break for people who are using the code directly and still (for some reason) using port 80.
Partially for https://github.com/GSA/data.gov/issues/4112
Previous PROXY_PORTS are open on ports
80 443 22 61443. This change limits to default port 443 only. To have more ports open, set an environment variablePROXY_PORTSusing value such as80 443 22 61443. For example: