can't access taiga api from network

[jeffery9]

access taiga via http://127.0.0.1:8080 or http://localhost:8080 is success, but can't access from network. taiga report http code 400, this seems that nginx block the access.

[jeffery9]

modify settings.py, set ALLOWED_HOST to [*]

ALLOWED_HOSTS = [
    '*'
]

modify front.json, set correct eventsUrl

[lonix1]

@jeffery9 If you got it to work, do you mind sharing the working config for docker, front and back?

[lubo]

@jeffery9 You most certainly don't wanna use ALLOWED_HOSTS = ['*']. Please, read about ALLOWED_HOSTS.

[lonix1]

Agreed, but that's the only way I could get it to start (even "localhost" and "0.0.0.0" didn't work). If it's on a firewalled local machine it's ok.

Nonetheless, this docker image is really buggy.

[lubo]

It's really not. Please, read the documentation I've linked, it provides detailed description of why it's necessary and how to configure it properly. Also, I'm the original creator of this image and it works as intended, adhering to the principle of least privilege. We haven't received a single valid bug report since publishing it, all the problems people have stem from not reading the documentation and the lack of experience with this technological stack.

[lonix1]

This is from an older image that I created and it worked well for a long time:

SITES["api"]["domain"] = "localhost:8000"
SITES["front"]["domain"] = "localhost:8000"

I decided to use this image instead, as it's an official one.

But like @jeffery9, I couldn't get it to work (Admittedly, I haven't done any python in years, so maybe the docs would help me) - but I think it should "just work" without becoming a python expert. :) Like I said above, for those who are self-hosting and the app is behind a firewall, or behind nginx/apache, it "should be ok" to use "*". (If not, please educate me as to why?)

[lubo]

Do you mean like this?

https://github.com/taigaio/docker-taiga-5/blob/0e5435f856d84a1c30034d367226481d4fdd68b4/root/opt/taiga-back/settings/local.py#L20

This image uses the IANA-assigned port 8080. I don't know what you mean, this image "just works" by default, out of the box and it definitely doesn't require you to know Python at all, it's the application that requires the minuscule knowledge of Python. All you have to do is make sure your custom configuration is valid according to the provided and linked documentation, which again, is given mostly by the application itself.

When it comes to the ALLOWED_HOSTS setting. From Host header validation (linked in ALLOWED_HOSTS, which I linked in my first comment):

Django uses the Host header provided by the client to construct URLs in certain cases. While these values are sanitized to prevent Cross Site Scripting attacks, a fake Host value can be used for Cross-Site Request Forgery, cache poisoning attacks, and poisoning links in emails.

I believe it's obvious now why not configuring it properly is a problem. Respectfully, your responses make me believe you have read none on the documentation and that's probably why you couldn't make it work.

[lonix1]

True. But keep in mind at least two people needed to hack that config option to get it to work. Maybe the problem is just us.

[jeffery9]

@jeffery9 You most certainly don't wanna use ALLOWED_HOSTS = ['*']. Please, read about ALLOWED_HOSTS.

yes, when i setup a reverse proxy before taiga docker cluster, ALLOWED_HOSTS = ['locahost', '127.0.0.1'] is ok.

eg. taiga docker cluster expose 8080, and setup another nginx on the docker host, proxy port 8000 for public access to 8080. for this situation, we need to set eventsUrl to the public url. so user can access taiga in full function.

[lubo]

If you serve your instance publicly, ALLOWED_HOSTS = ['locahost', '127.0.0.1'] is insufficient. Please, read the documentation, it also states which settings need to be changed and how.

The sample configuration is meant to be secure by default, that's why you get 400 outside localhost unless you change your settings accordingly. If you haven't changed your settings, then it works as expected. I really don't understand what's the issue here. I'd also like to urge you @jeffery9 to not share configuration that you haven't validated against the documentation and which doesn't follow good practices like adhering to the principle of least privilege, etc. Other inexperienced users might copy-paste it without reviewing it and make their instances vulnerable.