Get rid of allowed_http_hosts in v2 manifest

[rylev]

This removes allowed_http_hosts in favor of allowed_outbound_hosts.

allowed_outbound_hosts has become strict in that it is required to follow the form "$SCHEME://$HOST:$PORT" where $SCHEME can be "*" or a specific scheme, $HOST can be "*" or a specific host, and $PORT can be "*", a specific port, or a port range. In the future we will allow lists of schemes, hosts, and ports.

Some notes:

• "insecure:allow-all" is done away with in favor of *://*:*.
• Schemes are required but if you don't care you can use globs: *://example.com

[lann]

Definitely low priority but it might be nice to eventually move this parsing into serde for the nice errors you get out of toml deserialization.

[itowlson]

I'm not sure where this scheme comes from? There's no scheme used in the connection string.

[rylev]

We're not doing literal equality checking on strings: the scheme in this config signifies that you are allowed to make postgres outbound calls to that host and port (and not, for example, http calls).

[itowlson]

Would this still allow HTTP (not HTTPS) for localhost scenarios?

[rylev]

I think in the current implementation it would but that seems a bit odd. The most consistent thing would be to require {http, https}://*:* (note that the list syntax is not yet implemented), but that is admittedly a bit annoying.

[tschneidereit]

We just discussed this in the Spin Up meeting, and I think we should hold off on removing the existing way of doing this this shortly before the release.

Landing this change requires a lot of documentation update, solid work on devUX to ensure that developers aren't left stranded because they don't know how to migrate, and potentially also some deeper conversation about the exact design and ergonomics of allowed_outbound_hosts.

[rylev]

Ok. I've pushed some changes that I think address most of the issues:

allowed_http_hosts in v2

We will continue to support allowed_http_hosts in v2 manifests but we will emit a warning when it is used.

For example, say I have the following in my manifest:

allowed_http_hosts = ["foo.com"]

This will work as expected (http traffic to foo.com will be allowed), but the following warning will be emitted:

Warning: Use of the deprecated field `allowed_http_hosts` - to fix, replace the use of `allowed_http_hosts` with `allowed_outbound_hosts = ["https://foo.com:443"]

Default ports

The allowed_outbound_hosts syntax now allows for omitting the port. If the port is omitted, the scheme is used to determine which port is allowed. For example, an https scheme allows for port 443 and a redis scheme allows for port 6379.

A full description of the allowed_outbound_hosts syntax

The allowed_outbound_hosts syntax is composed of three parts: a scheme, a host, and an optional port in the following form:

$SCHEME://$HOST:$PORT

Each of these elements can be either a specific string (e.g., scheme can be 'http' or 'redis') or a glob which allows anything. Additionally ports allow for port ranges using the syntax ($START..$END). In the future, we can easily extend this to more flexible syntax such as lists (e.g., {redis, mysql}://example.com:{3000, 4000, 5000..5999}).

• Scheme: The scheme decides which type of request is allowed. For example, if you specify 'redis' as the scheme than redis requests are allowed but postgres, mysql, http, etc. are not. Note that this is independent of whether the url the user is using in their code has the scheme or not. Making a request from the user's code to 'example.com' or 'redis://example.com' are both permitted when the allowed_outbound_hosts list includes 'redis://example.com'.
• Host: the host must match exactly between the url the user provides to an outbound networking interface being used and the configuration in allowed_outbound_hosts. For example Redis requests to 'example.com' are permitted by allowed_outbound_hosts = ["redis://example.com"] but requests to 'subdomain.example.com' are not (even if 'subdomain.example.com' redirects to 'example.com').
  • There is one special host "self" that allows making requests back to the current application.
• Port: The port used to make the request must be in the range specified by the config. For example, a request to 'example.com:4001' is allowed by allowed_outbound_hosts = ["*://example.com:4001"] and allowed_outbound_hosts = ["*://example.com:4000..4999"] but is not allowed by allowed_outbound_hosts = ["*://example.com:4000"].

[vdice]

suggestion: thoughts on reducing to just the following?

Suggested change

	replace the use of `allowed_http_hosts` with `allowed_outbound_hosts = {normalized:?}`",
	replace with `allowed_outbound_hosts = {normalized:?}`",

[itowlson]

@vdice maybe

Suggested change

	replace the use of `allowed_http_hosts` with `allowed_outbound_hosts = {normalized:?}`",
	replace `allowed_http_hosts` with `allowed_outbound_hosts = {normalized:?}`",

so as to be absolutely specific?

[rylev]

If there are no other changes, I might sneak this in to a follow-up PR to avoid having to run CI again, but otherwise 👍

[itowlson]

Thanks for working through what must at times have been frustrating feedback. I've not fully grasped the internals of the PR, but it looks good, and the behaviour gives us the long-term plan going forward while making users following older content successful. The ideal outcome.

[itowlson]

I will update the docs to align with this. (Thanks for picking up the templates!)

[itowlson]

@vdice heads up for the JS and Python templates