--forwarded-allow-ips '*' broken in combination with gunicorn

[Kludex]

Discussed in https://github.com/encode/uvicorn/discussions/2475

^{Originally posted by **andreas-sch-b** September 30, 2024} I'm running uvicorn in combination with gunicorn like this: `gunicorn -k uvicorn.workers.UvicornWorker --forwarded-allow-ips "*" ....` This worked well with the 0.30.6, however it's broken with the 0.31.0 of uvicorn. The issue got introduced with the PR [1]. The problem is, that the check for the wildcard changed. In the old version there was a check like `"*" in trusted_hosts`. The new code now checks for `trusted_hosts == "*"` which causes the problem. [1] https://github.com/encode/uvicorn/pull/2468

[fsecada01]

Confirmed. This happened to me.

[theyashl]

Turns out gunicorn is parsing forwarded_allow_ips command line option and then putting its values into a list before handing it over to uvicorn's worker as part of configs. Refer to ForwarderHeaders class from gunicorn's gunicorn/config.py file. This class is handling cli --forwarder-headers, with a validator called validate_string_to_list.

This validator puts all the comma-separated values into a list which are received with the given parameter. i.e. --forwarder-headers.

So basically the check _TrustedHosts should have is trusted_hosts == ["*"] instead of trusted_hosts == "*". But this would be completely gunicorn specific change. So we would have to make sure that this checks should work fine with both uvicorn as a standalone application and with gunicorn integration. We can make it as one of the following: trusted_hosts == ["*"] or trusted_hosts == "*" / trusted_hosts in (["*"], "*") / "*" in trusted_hosts.