In the default configuration gunicorn respects the X-Forwarded-Proto HTTP header only if the connection comes from localhost.
This is not the case when e.g. running under docker where gunicorn sees the docker gateway IP causing it to disregard the header and potentially produce an error regarding the mismatch of public_url and application url.
The commandline argument --forwarded-allow-ips tells gunicorn to trust the headers if the connection originates from certain other IP addresses.
To expose this setting for docker setups of syncserver, the docker entrypoint is changed to optionally set this argument based on the environment variable SYNCSERVER_FORWARDED_ALLOW_IPS defaulting to 127.0.0.1 which mirrors the gunicorn default.
We still default to using the local verifer because it's simpler,
but using a remote verifier may be necessary for e.g. testing
purposes when running on localhost.
Connects to mozilla/fxa-local-dev#112
Setting the SYNCSERVER_IDENTITY_PROVIDER environment variable will
cause syncserver to restrict both BrowserID and OAuth credentials
to be issued from that server.
The migration also solves an issue when running this service under ARM based architectures, as the previous usage of dumb-init_1.2.0_amd64 is incompatible on ARM architecture.
Fixes#91, by pulling in a new version of tokenserver's LocalVerifier class that properly supports the extra "idpClaims" property that we use for tracking FxA generation numbers.
Before this change, you have either have to accept the default config
for the tokenserver backend, or specify all config options and hence
duplicate info from earlier in the file. With this change you can
now just specify anything you want to change and we'll use the defaults
for the rest.