Post-review hardening (both fail-safe, not bugs): - _client_ip normalizes IPs via ipaddress and unwraps IPv4-mapped IPv6, so a plain TRUSTED_PROXY_IPS=10.10.0.1 also matches a peer surfaced as ::ffff:10.10.0.1 (a Docker/IPv6 self-host footgun that would otherwise silently collapse everyone into one rate-limit bucket). - entrypoint.sh + _client_ip docstring: explicit warning never to add uvicorn --proxy-headers, which would rewrite request.client from the forgeable XFF and defeat the trust check.
18 lines
998 B
Bash
18 lines
998 B
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
echo "Applying database migrations..."
|
|
alembic upgrade head
|
|
|
|
echo "Starting Siftlode API..."
|
|
# --timeout-keep-alive 75: keep idle upstream connections alive longer than the reverse
|
|
# proxy's idle-reuse window. uvicorn's default (5s) is shorter than Caddy's pooled-keepalive
|
|
# timeout, so Caddy would reuse a connection uvicorn had just closed -> broken pipe / reset
|
|
# on the next request -> 502. Non-idempotent POSTs (the player's progress/state writes,
|
|
# fired every 5s) can't be auto-retried by the proxy, so those 502s reached the user.
|
|
#
|
|
# SECURITY: do NOT add --proxy-headers / --forwarded-allow-ips here. auth._client_ip trusts
|
|
# X-Forwarded-For only when the TRUE socket peer is a configured proxy (TRUSTED_PROXY_IPS); those
|
|
# flags would make uvicorn overwrite request.client from the forgeable XFF, defeating that check and
|
|
# reopening the rate-limit bypass (SA3).
|
|
exec uvicorn app.main:app --host 0.0.0.0 --port 8000 --log-config log_config.json --timeout-keep-alive 75
|