From 57aa919291f2f3ee54e2de4368642d38bad7b06d Mon Sep 17 00:00:00 2001 From: Christoph Ladurner Date: Mon, 17 Feb 2025 22:43:47 +0100 Subject: [PATCH] change: configuration of flask changed variable --- docs/customize/look-and-feel/index.md | 8 ++++---- docs/install/configuration.md | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/customize/look-and-feel/index.md b/docs/customize/look-and-feel/index.md index aed52a3e..5fe44cf1 100644 --- a/docs/customize/look-and-feel/index.md +++ b/docs/customize/look-and-feel/index.md @@ -35,15 +35,15 @@ INVENIO_THEME_FRONTPAGE_TITLE="Stage RePo: the Repository about Potatoes" ❌ DON'T ```shell - INVENIO_APP_ALLOWED_HOSTS=["127.0.0.1"] invenio-cli run + INVENIO_TRUSTED_HOSTS=["127.0.0.1"] invenio-cli run ``` - `APP_ALLOWED_HOSTS` is interpreted as the string `"[127.0.0.1]"` because of shell substitution followed by Python literal conversion. + `TRUSTED_HOSTS` is interpreted as the string `"[127.0.0.1]"` because of shell substitution followed by Python literal conversion. ✅ DO ```shell - INVENIO_APP_ALLOWED_HOSTS='["127.0.0.1"]' invenio-cli run + INVENIO_TRUSTED_HOSTS='["127.0.0.1"]' invenio-cli run ``` - `APP_ALLOWED_HOSTS` is interpreted as the list `["127.0.0.1"]` which is right. + `TRUSTED_HOSTS` is interpreted as the list `["127.0.0.1"]` which is right. Another pitfall to avoid is when a value can be interpreted as the wrong type. diff --git a/docs/install/configuration.md b/docs/install/configuration.md index 814a23ea..197139e7 100644 --- a/docs/install/configuration.md +++ b/docs/install/configuration.md @@ -45,9 +45,9 @@ The credentials you do find in the ``invenio.cfg`` file are for the default deve ## Options --- -### ``APP_ALLOWED_HOSTS`` +### ``TRUSTED_HOSTS`` -Invenio has a configuration option called ``APP_ALLOWED_HOSTS`` which controls which hosts/domain names can be served. A client request to a web server usually includes the domain name in the Host HTTP header: +Invenio has a configuration option called ``TRUSTED_HOSTS`` which controls which hosts/domain names can be served. A client request to a web server usually includes the domain name in the Host HTTP header: ``` GET / @@ -61,10 +61,10 @@ An attacker has full control of the host header and can thus change it to whatev Normally your load balancer/web server should only route requests with a white-listed set of hosts to your application. It is however very easy to misconfigure this in your web server, and thus Invenio includes a protective measure. -Simply set APP_ALLOWED_HOSTS to a list of allowed hosts/domain names: +Simply set TRUSTED_HOSTS to a list of allowed hosts/domain names: ``` -APP_ALLOWED_HOSTS = ['www.example.org'] +TRUSTED_HOSTS = ['www.example.org'] ``` Failing to properly configure this variable will cause the error `Bad Request Host x.x.x.x is not trusted.` when starting the web app.