> What "localhost whitelst" are you referring to here?
I set up http auth and disable it in the virtualhost for localhost:
<Location />
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Require local
</Location>
(This is what I called "whitelisting localhost")
I haven't configured apache in anger in many many years, but I assume what you're trying to do is exclude it from basic auth, but have basic auth on the rest? Surely there must be a way to do just that?
> As for the patch, it seems like a really bad idea to silently turn off https validation when you specify a hostname. Surely those are completely independent things?
urllib will display a warning if you use a Host header different from the URL
And for very good reasons, because you've removed an important part of the https security!
> I honestly don't understand your described workload... Is your goal to have http auth on all URLs except the /api/archive/<name>/lists/ endpoint from localhost? Surely that's a matter of apache config rather than patching the client?
I want to have http auth for everyone except localhost.
I may not have chosen the best way to do that. Do you see a better way to handle this?
Per above, I don't know how to configure things in apache. But excluding auth on localhost is definitely something I've done many times on other platforms.
ISTM that this should be a question for someone who knows apache configuration, rather than a patch to lower the security of the pglister code.
> And if you just want to change the hostname, can't you just edit the URL?
No because I have several domains on localhost. Apache needs to somehow (with the Host header) know which one is wanted.
Differentiating hosts on https is something SNI has been used for for many years. That seems to be the appropriate solution here as well, if you absolutely need to use https on localhost? (There are things that require that, such as access to browser camera, but I don'pt see how any of that would apply to a pglister API call, so it seems easie rto just not encrypt localhost traffic?)
Bottom line is this really sounds like a server side issue in the apache configuration, and should be solved there.
