Listen on Host 0.0.0.0 by default

[intellix]

Before webpack, the server used to bind to 0.0.0.0 by default to allow connecting via network IPs like 192.168.5.1.
This makes it easier to develop mobile applications as you can just connect to the same network and access via IP.

[filipesilva]

@TheLarkInn can you review?

[TheLarkInn]

Does this not work currently if you set --host='0.0.0.0' @intellix ?

[TheLarkInn]

Never mind that last statement I had to lookup of setting 0.0.0.0 will allow you to goto localhost:port in the browser and it looks like it will.

[clydin]

I'd prefer if the smallest set of interfaces were bound by default (i.e., localhost). Unintentionally (and potentially unknowingly) exposing under development projects is generally not a good security practice.

However, I do understand the use case outlined above. I think a better option would be to add a default host option to the angular-cli.json file (and default that to localhost).

[intellix]

A couple of dev servers that bind to 0.0.0.0 by default from checking:

• angular-cli before webpack
• live-server
• http-server
• python -m SimpleHTTPServer

Typically when you serve anything, you get a message like:

http-server started, available on: 
 http://127.0.0.1:4200
 http://192.168.5.1:4200

I've never come across something that wasn't available on 192.x out of the box before :)

[clydin]

All of which have the same flaw in a development setting.
See this commit message (from a project that doesn't) for a reason why: rack/rack@28b0144

[kylecordes]

It is probably better to not bind to 0.0.0.0 by default. There are good security arguments and so on.

However, I recommend setting that aside for the moment, and aiming for the same convenience as the competing tools for other frameworks, that @intellix mentioned.

Why? Because the hard part at the start of a new thing is getting users. Adding yet another thing that people have to mess with if they use angular-cli, which "just work" with other tools, is not a good way to get users.

[clydin]

The typical development use case is to open the web app in a local browser. This is covered with localhost. It's better to put secure defaults in place early than cause disruptions down the line.

Also of note, the AngularClass angular2-webpack-starter (which many currently use) defaults to localhost.
https://github.com/AngularClass/angular2-webpack-starter/blob/master/config/webpack.dev.js#L20

[TheLarkInn]

I'll have to agree with @clydin and @kylecordes on this one. I think that although out of the box, this will probably not impact any user, but opening additional endpoints by default is really not the best practice from a security standpoint.

If you are looking for an avenue of convenience you could simply add a npm script you can execute that runs:

ng serve --host 0.0.0.0

For the sake of the every day user, I think its best to leave at "localhost". When we have our plugin/addon system more fleshed out @intellix I would love to work with you to help implement a plugin/addon that gives you these features by default.

[filipesilva]

I'm also of the opinion that there is little benefit in defaulting to 0.0.0.0 instead of localhost. The convenience argument doesn't convince me, as it's not hard to configure nor debug. You know if you need network access to your local server.

I've personally been in a situation at a FinTech company where default network access to local servers was a problem. No one knew it was happening, it was just default.

Unless there's stronger arguments provided, I think this PR should not go in.

[TheLarkInn]

I'm going to close this. @hansl if you disagree with or see any reason otherwise please feel to reopen.

[intellix]

you drive a hard bargain! guess it would be good to mention in the migration doc :)
Also: ng help serve says: --host (String) Listens on all interfaces by default so I'll PR away that

[TheLarkInn]

Thank you very much that is definitely needed.

[colemickens]

It seems like it still says that it listens on all interfaces which is a bit misleading...

[colemickens]

$ npm install -g angular-cli
$ ng serve --help

# ...
ng serve <options...>
  Builds and serves your app, rebuilding on file changes.
  aliases: server, s
  --port (Number) (Default: 4200)
    aliases: -p <value>
  --host (String) (Default: localhost) Listens on all interfaces by default
    aliases: -H <value>
# ...

and

root@pixel:/polykube-frontend/source# ng --version
Could not start watchman; falling back to NodeWatcher for file system events.
Visit http://ember-cli.com/user-guide/#watchman for more info.
angular-cli: 1.0.0-beta.16
node: 6.9.1
os: linux x64

[colemickens]

Apparently, whatever I'm doing to install ng isn't working. Because I'm still getting beta.16 instead of beta.21 as expected from npmjs.

[colemickens]

Actually, is it possible that the version isn't being updated before pushing to npm? Even if I npm install -g angular-cli@1.0.0-beta.21 it reports itself as 1.0.0-beta.16....

[anandbabud1987]

Used:
ng server --host 0.0.0.0
but getting:
Invalid Host header

[donmccurdy]

Seeing Invalid Host header as well. Looks similar to this issue.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}