> And for very good reasons, because you've removed an important part of the https security!
Which makes sense and is hardly exploitable in that case since we're talking about local traffic
> Differentiating hosts on https is something SNI has been used for for many years. That seems to be the appropriate
solutionhere as well, if you absolutely need to use https on localhost? (There are things that require that, such as
accessto browser camera, but I don'pt see how any of that would apply to a pglister API call, so it seems easie rto
justnot encrypt localhost traffic?)
Problem is that requests made to the domain will be received as coming from the server's external IP address, which
makesit difficult to detect it as local traffic (unless hardcoding this IP address in apache's config)
> Bottom line is this really sounds like a server side issue in the apache configuration, and should be solved there.
Yes, I ended up adding the target domain to /etc/hosts so that it resolves to 127.0.0.1 or ::1, which is a much simpler
solution.Thanks for the inputs, they made me consider things differently!
This patch can be forgotten.
Please let me kindly remind that many other patches are waiting for integration and I listed their state here:
https://www.postgresql.org/message-id/6fc41ae5-f547-4cbd-a2d5-54ad75e33fe5@cmatte.me
--
Célestin Matte
