--forwarded-allow-ips '*' broken in combination with gunicorn

[Kludex]

Discussed in #2475

^{Originally posted by andreas-sch-b September 30, 2024}
I'm running uvicorn in combination with gunicorn like this:

gunicorn -k uvicorn.workers.UvicornWorker --forwarded-allow-ips "*" ....

This worked well with the 0.30.6, however it's broken with the 0.31.0 of uvicorn. The issue got introduced with the PR [1]. The problem is, that the check for the wildcard changed. In the old version there was a check like "*" in trusted_hosts. The new code now checks for trusted_hosts == "*" which causes the problem.

[1] #2468

[fsecada01]

Confirmed. This happened to me.

[theyashl]

Turns out gunicorn is parsing forwarded_allow_ips command line option and then putting its values into a list before handing it over to uvicorn's worker as part of configs. Refer to ForwarderHeaders class from gunicorn's gunicorn/config.py file. This class is handling cli --forwarder-headers, with a validator called validate_string_to_list.

This validator puts all the comma-separated values into a list which are received with the given parameter. i.e. --forwarder-headers.

So basically the check _TrustedHosts should have is trusted_hosts == ["*"] instead of trusted_hosts == "*". But this would be completely gunicorn specific change. So we would have to make sure that this checks should work fine with both uvicorn as a standalone application and with gunicorn integration. We can make it as one of the following: trusted_hosts == ["*"] or trusted_hosts == "*" / trusted_hosts in (["*"], "*") / "*" in trusted_hosts.

[Kludex]

• Closed on Add support for [*] in trusted hosts #2480