github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 02:48:13 -05:00
Code Issues 1.1k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #22539] issue: FORWARDED_ALLOW_IPS seems to be ignored because start.sh hardcodes --forwarded-allow-ips '*' #35269

New Issue
Closed
opened 2026-04-25 09:29:55 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:29:55 -05:00
Owner
Copy Link

Originally created by @MateKristof on GitHub (Mar 10, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/22539

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.8.10

Ollama Version (if applicable)

No response

Operating System

Ubuntu 24.04

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Hi,

I noticed what looks like a mismatch between the documented/container environment configuration and the actual runtime behavior of start.sh.

What I observed

I am running Open WebUI from the Docker image/build path that ends up starting the app via:

bash start.sh


### Actual Behavior

Hi,

I noticed what looks like a mismatch between the documented/container environment configuration and the actual runtime behavior of `start.sh`.

I am running Open WebUI through the normal Docker image/build path, where the container eventually starts the app via:

```bash
bash start.sh

In the container environment, FORWARDED_ALLOW_IPS is set to a specific value, for example:

FORWARDED_ALLOW_IPS=127.0.0.1,172.20.0.0/16

However, the actual Uvicorn process is started with:

--forwarded-allow-ips *

What I found

In backend/start.sh, I found hardcoded --forwarded-allow-ips '*' usage in the startup path.

That seems to make a specific FORWARDED_ALLOW_IPS environment setting ineffective at runtime.

I also noticed that .env.example contains:

FORWARDED_ALLOW_IPS='*'

which suggests that FORWARDED_ALLOW_IPS is intended to be configurable.

Reproduction

  1. Set FORWARDED_ALLOW_IPS in the container environment to a specific subnet or list.
  2. Start the container normally.
  3. Inspect the running process command line.
  4. The process still runs with:
--forwarded-allow-ips *

Why this looks problematic

From my perspective, the current behavior means that even if the operator explicitly configures FORWARDED_ALLOW_IPS, the runtime still trusts all proxies because start.sh passes * directly to Uvicorn.

So the env setting appears to be present in the container, but not actually honored by the runtime startup command.

Question

Is this intentional, or is this a bug?

If FORWARDED_ALLOW_IPS is meant to be configurable, would it make sense for start.sh to use something like:

--forwarded-allow-ips "${FORWARDED_ALLOW_IPS:-*}"

instead of hardcoding *?

Thanks.

Steps to Reproduce

Reproduction

  1. Set FORWARDED_ALLOW_IPS in the container environment to a specific subnet or list.
  2. Start the container normally.
  3. Inspect the running process command line.
  4. The process still runs with:
--forwarded-allow-ips *

Logs & Screenshots

Additional Information

No response

Originally created by @MateKristof on GitHub (Mar 10, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/22539 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.8.10 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu 24.04 ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Hi, I noticed what looks like a mismatch between the documented/container environment configuration and the actual runtime behavior of `start.sh`. ## What I observed I am running Open WebUI from the Docker image/build path that ends up starting the app via: ```bash bash start.sh ### Actual Behavior Hi, I noticed what looks like a mismatch between the documented/container environment configuration and the actual runtime behavior of `start.sh`. I am running Open WebUI through the normal Docker image/build path, where the container eventually starts the app via: ```bash bash start.sh ``` In the container environment, `FORWARDED_ALLOW_IPS` is set to a specific value, for example: ```bash FORWARDED_ALLOW_IPS=127.0.0.1,172.20.0.0/16 ``` However, the actual Uvicorn process is started with: ```bash --forwarded-allow-ips * ``` ## What I found In `backend/start.sh`, I found hardcoded `--forwarded-allow-ips '*'` usage in the startup path. That seems to make a specific `FORWARDED_ALLOW_IPS` environment setting ineffective at runtime. I also noticed that `.env.example` contains: ```bash FORWARDED_ALLOW_IPS='*' ``` which suggests that `FORWARDED_ALLOW_IPS` is intended to be configurable. ## Reproduction 1. Set `FORWARDED_ALLOW_IPS` in the container environment to a specific subnet or list. 2. Start the container normally. 3. Inspect the running process command line. 4. The process still runs with: ```bash --forwarded-allow-ips * ``` ## Why this looks problematic From my perspective, the current behavior means that even if the operator explicitly configures `FORWARDED_ALLOW_IPS`, the runtime still trusts all proxies because `start.sh` passes `*` directly to Uvicorn. So the env setting appears to be present in the container, but not actually honored by the runtime startup command. ## Question Is this intentional, or is this a bug? If `FORWARDED_ALLOW_IPS` is meant to be configurable, would it make sense for `start.sh` to use something like: ```bash --forwarded-allow-ips "${FORWARDED_ALLOW_IPS:-*}" ``` instead of hardcoding `*`? Thanks. ### Steps to Reproduce ## Reproduction 1. Set `FORWARDED_ALLOW_IPS` in the container environment to a specific subnet or list. 2. Start the container normally. 3. Inspect the running process command line. 4. The process still runs with: ```bash --forwarded-allow-ips * ``` ### Logs & Screenshots - ### Additional Information _No response_
GiteaMirror added the bug label 2026-04-25 09:29:55 -05:00
GiteaMirror commented 2026-04-25 09:29:57 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Mar 25, 2026):

Addressed in dev.

<!-- gh-comment-id:4122376798 --> @tjbck commented on GitHub (Mar 25, 2026): Addressed in dev.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35269
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?