-
-
Notifications
You must be signed in to change notification settings - Fork 16.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit SERVER_NAME's impact on routing and external URL generation #5553
Revisit SERVER_NAME's impact on routing and external URL generation #5553
Comments
We should expose Werkzeug's trusted host checking, with a new I don't think we need to deprecate
This is already covered by |
David, thanks for chiming in. I think
Django doesn't seem to handle the unkown IP case natively: SO discussion and https://pypi.org/project/django-allow-cidr/ I don't know much about how Flask handles subodmains but noting it here in case it should impact the discussion. Thanks. |
I'm hesitant to deprecate/rename |
That would at least facilitate my objective of setting the external URL without affecting But I'd point out that someone who just wants to set
Creating two separate configs, one for each purpose, still makes the most sense to me. There is already consensus in #998 that the one setting is problematic. Why not fix the root cause? Regardless, I'd be happy for any way to fix this in the Flask config as the workaround I use is ugly. Thanks. :) |
Regarding a combined single config key: We have three configs that affect routing and URL generation.
All three are needed to generate URLs outside a request. We could have a |
To recap, with the
As a thought experiment, if starting from scratch, it seems more intuitive to me if this was broken out as:
We obviously are not starting from scratch, but that is still, IMO, the way the functionality most obviously groups together when thinking through the configuration. From an implementation perspective, I don't know if it's better to keep all the old settings as individual config items or deprecate them. I'd likely lean in favor of the latter since I think the current ones grew over time into a bit of an ugly knot. But, if not wanting to deprecate as you've seemed to indicate, then you could arguably split Could also not set any defaults from
And that doesn't require any parsing of the URL to get the bare host for
Two options I see:
|
Thanks for the analysis and writeup, I was trying to do something similar and ran out of steam. I'll think about the exact path forward, but I'm marking it for 3.1. |
I'm struggling to figure out why Werkzeug's
The end of the first paragraph has a confusing grammatical typo ("will use ... as used"), so I can't be sure of the intention. Not sure what "as" was supposed to say. Looking at the way Flask calls this, It seems to be saying "if the subdomain wasn't given, try to get it from the host header as a prefix of the name the WSGI server is bound to", which does make sense. But also "if I can't get a prefix, then don't even try to route", but routing would still work fine if it assumed the empty prefix, as if the host exactly matched the server's name. |
There's also the from flask import Flask, request, url_for
app = Flask(__name__)
app.config["SERVER_NAME"] = "example.com:5000"
app.url_map.default_subdomain = "" # and patch out the `or None`
@app.get("/")
def index() -> str:
return url_for("index", _external=True) |
|
Yeah, I'm starting to see how this makes sense now. I think the entire problem is the Lines 442 to 451 in 07c7d57
If that's fixed, then:
So I think if not subdomain_matching:
url_map.default_subdomain = "" And Longer term, Werkzeug 3.2 can add |
The change was slightly different than what I guessed above, but after some more testing, I'm convinced that's the right fix now. It seems to be what was intended in #2635. This whole thing, It's not helped by the number of configurations in Werkzeug's routing:
I'm not clear what of this can be fixed or warned about, or even if it should be. Something to think about when moving |
Flask 3.1 fixed pallets/flask#5553 which had the side-effect of enforcing that subdomain_matching=True must be set. This is a test case change only.
Flask 3.1 fixed pallets/flask#5553 which had the side-effect of enforcing that subdomain_matching=True must be set. This is a test case change only.
#998 was a discussion regarding the impact the
SERVER_NAME
setting has on an application. IMO, there was consensus in that issue, including by @mitsuhiko, thatSERVER_NAME
being used both in routing and in URL generation was problematic.That issue was closed by #2635, which made a change regarding subdomain matching. However, IMO, it did not address the fundamental problem of
SERVER_NAME
impacting two disparate mechanisms in Flask.I found two additional issues since #998 that have attempted to point out the problem with
SERVER_NAME
: #2813, #3465In #2813, a minimal, complete, and verifiable example was requested and I have therefore prepared an example gist that demonstrates the problem.
The gist's third "currently impossible" test demonstrates that it's currently impossible to:
SERVER_NAME
so external URL generation works outside a request context with only an app context; andMy particular use case currently is that I need
SERVER_NAME
set so external URLs will be created accurately in distributed tasks where no web request is present. Additionally, I need the app to respond to multiple host names 1) the canonical URL the public uses; and 2) the IP address based URL our load balancer uses for health checks.IMO,
SERVER_NAME
should be deprecated and two new settings should be created. One which affects external URL generation and a second that affects routing resolution.The setting for the URL generation could be
CANONICAL_URL
and, because its a URL, it could eliminate the need forurl_for()
's_scheme
arg.Thanks for your consideration.
The text was updated successfully, but these errors were encountered: