Add option to expose WebpackDevServer publicly for non-localhost development

[jankeromnes]

If you'd like to use perf.html via URLs that are not localhost (e.g. from behind a proxy, or from another device) I suggest to expose the web application publicly like so:

PERFHTML_PUBLICHOST=true yarn start

[codecov]

Codecov Report

Merging #1621 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1621   +/-   ##
=======================================
  Coverage   81.04%   81.04%           
=======================================
  Files         178      178           
  Lines       11696    11696           
  Branches     2843     2846    +3     
=======================================
  Hits         9479     9479           
  Misses       2013     2013           
  Partials      204      204

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e709914...f163d31. Read the comment docs.

[codecov]

Codecov Report

Merging #1621 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1621   +/-   ##
=======================================
  Coverage   82.05%   82.05%           
=======================================
  Files         176      176           
  Lines       11908    11908           
  Branches     2901     2898    -3     
=======================================
  Hits         9771     9771           
  Misses       1949     1949           
  Partials      188      188

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update db03840...04706a6. Read the comment docs.

[julienw]

Some context for my teammates:
@jankeromnes now works for typefox, the company behinds gitpod.io. We chatted a bit today about how to support this for our project, using an URL like https://gitpod.io#https://github.com/devtools-html/perf.html/ for easy contribution.

One issue is how we access the dev server: obviously the server won't be accessible from the docker container as it binds on localhost. gitpod comes with a system to forward ports, but the webpack dev server has a system to checks the Host to prevent security problems. See this posts about this issue:

• https://medium.com/webpack/webpack-dev-server-middleware-security-issues-1489d950874a
• webpack-dev-server vulnerable to DNS rebinding attack webpack/webpack-dev-server#887

The PR here disables this check and I'm reluctant to do it. Ideally gitpod should tell you which host will be used, and we could use it when configuring the server.

[jankeromnes]

The PR here disables this check and I'm reluctant to do it.

Note: This PR only disables the check if you explicitly set PERFHTML_PUBLICHOST=true (one typo, and you're back to the safer situation & the server won't get exposed beyond localhost).

[julienw]

I think the proposed changes make it safer and still not overengineered :)
Then a user could pass the expected host through PERFHTML_PUBLICHOST (maybe with a bit of guessing in the case of gitpod - but should be doable) and have it exposed properly.

[julienw]

remove this and add public: host

[jankeromnes]

Removed. But is public: host still needed here? Or maybe host should be added to allowedHosts?

[julienw]

indeed it's weird your prettier run changed everything here. Meh :)

[julienw]

@gregtatum I'd like your second opinion on this :) here is how you can try the issue we're facing:

1. open https://gitpod.io/#https://github.com/devtools-html/perf.html/
2. run yarn then yarn start in a terminal (inside the interface of course)
3. run gp forward-port 4242 4243 in another terminal
   => you should have a link to the ports on the bottom bar
4. expose the port 4243 from the popin appearing at the top of the window
5. open a new window from the popin appearing at the top of the window
   => We get "Invalid Host header"

[gregtatum]

I don't think I understand enough about this issue to really weigh in. I did the STR, but I'm not sure what's really going on behind the scenes with the tech. What is even sending out "Invalid Host Header"?

[jankeromnes]

@gregtatum Thanks for looking into this!

What is even sending out "Invalid Host Header"?

That's WebpackDevServer, because it doesn't accept connections that use domains other than localhost. That's problematic when you develop with live previews / proxies / multiple devices (as is the case for example in Gitpod, which shows running web apps via a preview URL).

This is essentially why I added support for making perf.html accept connection that use non-localhost domains.

[jankeromnes]

To me, these are the relevant options to address this:

1. Don't address it: We don't want anyone to develop perf.html using anything else than localhost
2. Option to allow only specific non-localhost access: E.g. PERFHTML_PUBLICHOST="4242-abcd-ef01-2345-complicated-preview-domain" yarn start
3. Option to allow any non-localhost access: E.g. PERFHTML_PUBLICHOST=true yarn start
4. Completely disable host-checking for development: E.g. yarn start works everywhere

This PR implements Option 3. @julienw seems to prefer Option 2.

[mstange]

I don't really have an opinion on this either. I'd even be fine with a gitpod-specific command that looks at the GITPOD_WORKSPACE_URL env var, e.g. yarn gitpod-start.

[julienw]

That special command could do:

gp forward-port 4242 4243
PERFHTML_PUBLICHOST="4243-$GITPOD_WORKSPACE_ID.ws-eu.gitpod.io" yarn start

Assuming this ws-eu is something constant.

[jankeromnes]

Interesting idea, thanks! We'll still need to implement PERFHTML_HOST env variable support for Option 2 (I'll amend this PR), but this would indeed solve non-localhost development for any live preview / proxy / cross-device scenario where you know the host in advance, and won't require using disableHostCheck: true.

Assuming this ws-eu is something constant.

Unfortunately, it is not constant (e.g. if you're in Asia, it will be ws-ap). However, there is probably a way to make Gitpod expose these preview URLs. I'll investigate.

[julienw]

I got 1 thought and 1 remark.

First, the thought: after looking at this again, I now think this is probably good enough to do what @janx proposed initially. That we're not having this setup by default is probably good enough for security. I'd still be happier with the other solution though. Especially that the next remark could make it a lot easier:

Indeed I noticed that the allowedHosts property accepts wildcards, so we could use something generic like .gitpod.io instead of having to guess the full name.

[jankeromnes]

Indeed I noticed that the allowedHosts property accepts wildcards, so we could use something generic like .gitpod.io instead of having to guess the full name.

Wow, that's a really cool find! This looks like a much cleaner solution indeed. 😄

[jankeromnes]

@julienw Thanks again for your advice! I've implemented non-localhost support without using disableHostCheck at all, please take another look when you have time.

(Also, I haven't added .gitpod.io to allowedHosts yet because I'd like to implement Gitpod support in a separate pull request.)

[jankeromnes]

(Rebased on top of latest master.)

[julienw]

I did some small suggestions, I hope you'll find them OK :)

[jankeromnes]

@julienw Many thanks! 😄 The suggestions make sense to me, so I've applied them. I'll also rebase the commits now.

[jankeromnes]

🎉 🎉 🎉 Thanks a lot @julienw! 😄