core: Allow loopback hosts for admin endpoint (fix #5650) #5664
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This should actually be a non-breaking change, since previously we only allowed the empty Host for unix sockets. We still allow that, but turns out the most popular clients used with the admin API (Caddy's CLI and curl) don't allow empty hostnames anymore:
Anyway, this is mildly infuriating because we can no longer be compliant with RFC 2616 Section 14.26 as Go requires setting a host. But it's the best we can do.
We could disable the security checks completely for unix sockets -- and the infosec community has assured me that doing so would be safe -- but I am not ready to trust that, for instance, browsers won't always forbid access to unix sockets in the future (or maybe they have a bug). But as long as they enforce CORS we can at least have reasonable assurance that a host of
127.0.0.1
or::1
mean the request comes from a local website. Additionally, unix sockets can have system permissions used to restrict access.In #5650 I decided that we'd use 127.0.0.1 as a "bogus" host and continue to enforce our host/origin checks, while allowing 127.0.0.1 and ::1 as possible values.
I think this is relatively conservative, so if there's any major issues with good technical reasoning we can reconsider this approach if need be.
Ultimately I view this as a very minor regression due to an upstream patch that we're working around.