Chrome 忽略本地主机子域的主机文件
Chrome ignoring hosts file for subdomains of localhost
当我尝试访问 http://mysubdomain.localhost 时 chrome 解析为 [::1]80,即使在主机文件中有针对该域的显式条目。没有其他浏览器以这种方式运行。 Firefox、safari 和 curl 都解析我的主机文件中给定的 IP 地址。这是我目前的全部主机文件:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
192.168.88.88 mysubdomain.localhost
然而,当我尝试访问 chrome 中的 http://mysubdomain.localhost 时,它并没有解析为 192.168.88.88。这对我来说是有问题的,因为 192.168.88.88 是我计算机上的虚拟机 运行。我可以将域更改为 http://mysubdomain.local 或 http://mysubdomain.dev,但这需要我更新项目中许多人使用的配置文件,我宁愿避免这样做,因为我可能会破坏某些方面他们的工作流程。
Firefox(按要求工作)
curl(根据需要工作)
Chrome(未按预期工作)
一些我已经尝试过的东西:
- 我没有使用代理
- 我已经多次清除浏览器缓存
- 我已经从
chrome://net-internals/#dns 中清除了 dns 缓存
- 我重启了几次机器
- 我已经用终端命令
sudo dscacheutil -flushcache;sudo killall -HUP mDNSResponder 清除了系统DNS缓存
- 我试过几次隐身模式
- 我已经尝试创建一个新的 chrome 用户帐户
系统信息:
Chrome版本:53.0.2785.116
OS 版本:Mac OS 10.11.6 (El Capitan)
经过进一步审查,我认为这是 unfortunately working as designed。来自 Chromium 问题队列:
This was done as a security mitigation, as OS X's resolver does not properly ensure that .localhost domains are not queried on the network, which is a key security property of ensuring .localhost is truely local. Because we can't trust the resolver to do the secure thing, we unfortunately can't trust the resolver (even when it may be secure)...
The security risk is not about properly configured server vs improperly configured server. It's that a DNS resolver should never send foo.localhost requests out to the network. If it does, a network attacker could make "foo.localhost" point to any IP of their choosing. This is bad, because "localhost" (and "*.localhost") have special privileges (c.f. http://www.w3.org/TR/powerful-features/#is-origin-trustworthy ), and because they have those special privileges, they need to be secure.
事实上,似乎 chrome 可能是正确实施 RFC-6761 的唯一工具,其中部分说明:
Name resolution APIs and libraries SHOULD recognize localhost
names as special and SHOULD always return the IP loopback address
for address queries and negative responses for all other query
types. Name resolution APIs SHOULD NOT send queries for
localhost names to their configured caching DNS server(s).
所以看来没有办法解决这个问题。我会将虚拟机的域更改为 http://mysubdomain.local
在玩弄这个并使用了一段时间的 firefox 之后,我偶然发现了一个解决方法。您无需更改开发环境,只需安装 https://www.telerik.com/download/fiddler.
我相信 Fiddler 会绕过 chrome 的 DNS,因此您无需更改所有环境即可拥有一个完美运行的系统。
我已经在 Windows 10 上用 Hyper-v over vagrant 测试了这个。
当我尝试访问 http://mysubdomain.localhost 时 chrome 解析为 [::1]80,即使在主机文件中有针对该域的显式条目。没有其他浏览器以这种方式运行。 Firefox、safari 和 curl 都解析我的主机文件中给定的 IP 地址。这是我目前的全部主机文件:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
192.168.88.88 mysubdomain.localhost
然而,当我尝试访问 chrome 中的 http://mysubdomain.localhost 时,它并没有解析为 192.168.88.88。这对我来说是有问题的,因为 192.168.88.88 是我计算机上的虚拟机 运行。我可以将域更改为 http://mysubdomain.local 或 http://mysubdomain.dev,但这需要我更新项目中许多人使用的配置文件,我宁愿避免这样做,因为我可能会破坏某些方面他们的工作流程。
Firefox(按要求工作)
curl(根据需要工作)
Chrome(未按预期工作)
一些我已经尝试过的东西:
- 我没有使用代理
- 我已经多次清除浏览器缓存
- 我已经从
chrome://net-internals/#dns 中清除了 dns 缓存
- 我重启了几次机器
- 我已经用终端命令
sudo dscacheutil -flushcache;sudo killall -HUP mDNSResponder清除了系统DNS缓存
- 我试过几次隐身模式
- 我已经尝试创建一个新的 chrome 用户帐户
系统信息:
Chrome版本:53.0.2785.116
OS 版本:Mac OS 10.11.6 (El Capitan)
经过进一步审查,我认为这是 unfortunately working as designed。来自 Chromium 问题队列:
This was done as a security mitigation, as OS X's resolver does not properly ensure that .localhost domains are not queried on the network, which is a key security property of ensuring .localhost is truely local. Because we can't trust the resolver to do the secure thing, we unfortunately can't trust the resolver (even when it may be secure)...
The security risk is not about properly configured server vs improperly configured server. It's that a DNS resolver should never send foo.localhost requests out to the network. If it does, a network attacker could make "foo.localhost" point to any IP of their choosing. This is bad, because "localhost" (and "*.localhost") have special privileges (c.f. http://www.w3.org/TR/powerful-features/#is-origin-trustworthy ), and because they have those special privileges, they need to be secure.
事实上,似乎 chrome 可能是正确实施 RFC-6761 的唯一工具,其中部分说明:
Name resolution APIs and libraries SHOULD recognize localhost names as special and SHOULD always return the IP loopback address for address queries and negative responses for all other query types. Name resolution APIs SHOULD NOT send queries for localhost names to their configured caching DNS server(s).
所以看来没有办法解决这个问题。我会将虚拟机的域更改为 http://mysubdomain.local
在玩弄这个并使用了一段时间的 firefox 之后,我偶然发现了一个解决方法。您无需更改开发环境,只需安装 https://www.telerik.com/download/fiddler.
我相信 Fiddler 会绕过 chrome 的 DNS,因此您无需更改所有环境即可拥有一个完美运行的系统。
我已经在 Windows 10 上用 Hyper-v over vagrant 测试了这个。