Uvicorn behind proxy: suggested improvements for documentation and command line options

[adamsol]

I'd like to report some details that I found confusing when configuring Uvicorn with Nginx (https://www.uvicorn.org/deployment/#running-behind-nginx).

• The documentation warns to "ensure [...] that Uvicorn is run using the --proxy-headers setting". However, this is the default:

  uvicorn/uvicorn/main.py

  Lines 221 to 224 in d79f285

  	@click.option(
  	"--proxy-headers/--no-proxy-headers",
  	is_flag=True,
  	default=True,

• So the above option does nothing, and it's not the only one. Why are there pairs of boolean options such that one of them does nothing? We don't even know what the defaults are, without searching the code.

• When binding to a UNIX socket, we need to also add --forwarded-allow-ips='*'. This is mentioned in the documentation, but it's quite unexpected and easy to miss. I missed it, and spent a lot of time trying to understand why my requests passed to Django are not considered secure, and looking for workarounds.

  • Shouldn't --forwarded-allow-ips='*' be the default when --uds is used? Currently passing the * makes me feel like I'm doing something wrong security-wise.
  • If not, then maybe at least it could be described in the documentation whenever --uds is described, e.g. here and in uvicorn --help.