Re: [PATCH] pgarchives: Add host option for pglister_sync

On Thu, Jan 23, 2025 at 9:36 PM Célestin Matte <celestin(dot)matte(at)cmatte(dot)me>
wrote:

> > What "localhost whitelst" are you referring to here?
>
> I set up http auth and disable it in the virtualhost for localhost:
> <Location />
> AuthType Basic
> AuthName "Restricted Access"
> AuthUserFile /etc/apache2/.htpasswd
> Require valid-user
> Require local
> </Location>
> (This is what I called "whitelisting localhost")
>

I haven't configured apache in anger in many many years, but I assume what
you're trying to do is exclude it from basic auth, but have basic auth on
the rest? Surely there must be a way to do just that?

> As for the patch, it seems like a really bad idea to silently turn off
> https validation when you specify a hostname. Surely those are completely
> independent things?
>
> urllib will display a warning if you use a Host header different from the
> URL
>

And for very good reasons, because you've removed an important part of the
https security!

> I honestly don't understand your described workload... Is your goal to
> have http auth on all URLs except the /api/archive/<name>/lists/ endpoint
> from localhost? Surely that's a matter of apache config rather than
> patching the client?
>
> I want to have http auth for everyone except localhost.
> I may not have chosen the best way to do that. Do you see a better way to
> handle this?
>

Per above, I don't know how to configure things in apache. But excluding
auth on localhost is definitely something I've done many times on other
platforms.

ISTM that this should be a question for someone who knows apache
configuration, rather than a patch to lower the security of the pglister
code.

> And if you just want to change the hostname, can't you just edit the URL?
>
> No because I have several domains on localhost. Apache needs to somehow
> (with the Host header) know which one is wanted.
>

Differentiating hosts on https is something SNI has been used for for many
years. That seems to be the appropriate solution here as well, if you
absolutely need to use https on localhost? (There are things that require
that, such as access to browser camera, but I don'pt see how any of that
would apply to a pglister API call, so it seems easie rto just not encrypt
localhost traffic?)

Bottom line is this really sounds like a server side issue in the apache
configuration, and should be solved there.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>