Attempt to simplify the serve command for prod #3190
ganigeorgiev
announced in
Announcements
Replies: 2 comments 1 reply
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
TL;DR: With the next release you'll be able to run on prod
./pocketbase serve example.com
and this should start a HTTPS server out of the box without requiring the users to edit their/etc/hosts
file when a direct mapping between the domain and the vm local network interface is missing.A lot of users reported issues related to the auto issued Let's encrypt certificate when using the PocketBase executable with a domain name (see #2795, #3179, #1510 (comment), #107 (comment), etc.)
The issues originate from the fact that when you have something like:
we currently try to bind only to the single IPv4/IPv6 address that
example.com
is resolving to.This is not a problem when the domain is managed within the VPS vendor interface (eg. in Hetzner DNS Console, DigitalOcean Domains control panel, etc.), since this "mapping" between the VPS network interface and the domain is handled automatically by the vendor (most of the times).
But in some cases, users usually have to register manually an entry in their
/etc/hosts
file that describes the local network interface - domain relation (see #107 (comment)), which may no be always immediately clear.This could be avoided if we listen to all local IPv4/IPv6 interfaces, aka.
0.0.0.0
/[::]
(most reverse proxies do the same thing). This is usually recommended/"safe" only for services that we want to be public accessible (as it is in our case when a Let's encrypt certificate is issued for a public domain). But it could also has some security implications, specifically on local dev environments with misconfigured/disabled firewall, because users may accidentally and unknowingly expose their service to the public (this is also why the default PocketBase address is127.0.0.1:8090
and not0.0.0.0:8090
), so the default listener addresses ideally should be conditional.With that said, in order to have a smoother out of the box deployment experience, with the next release the
serve
command will support domain(s) names as optional argument(s) that will auto set the default values behind the scene of the related--http
and--https
listener addresses. When at least one domain name argument is specified, the default flags values will be autoset to--http="0.0.0.0:80"
and--https="0.0.0.0:443"
, otherwise - the current "safe" local dev defaults will be used (aka.--http="127.0.0.1:8090"
and--https=""
)For example:
Note that the
--http
and--https
flags are still used and not deprecated!They allow explicitly specifying the listener addresses and users can use them in combination with the above for example to listen to all IPv6 interfaces, instead of the default IPv4:
Additionally, in case the domain argument is missing, the existing behavior is preserved, aka.:
would be more-or-less the same as running:
(
93.184.216.34
is the IP of theexample.com
DNS A record)Beta Was this translation helpful? Give feedback.
All reactions