Allow insecure HTTP connections to 10.0.0.0/8
IP addresses
#12942
Labels
Area:Settings
NuGet.Config and related issues
Triage:NeedsTriageDiscussion
Type:DCR
Design Change Request
NuGet Product(s) Affected
dotnet.exe
Current Behavior
My company is running a locally managed Gitea instance on our intranet, and is connected to through the (RFC 1918 reserved)
10.0.0.0/8
IP range. On Gitea, we use their built-in support for being a NuGet package repository. This all works great. However, every time the compiler decides to run a "NuGet restore" operation, we get anNU1803
warning about using HTTP sources:I understand the reasoning for this: "use HTTPS everywhere", but this is not always feasible. And frankly, it's not even necessary for intranets, of which
10.0.0.0/8
is part of.Using HTTPS with IP addresses is not well-supported, and many certificate providers won't issue one for you, except in certain circumstances. For example, LetsEncrypt flat out won't issue certificates for IP addresses. Some providers will give you one for publicly accessible IPs, but
10.0.0.0/8
is obviously not.Theoretically, we could use a fake subdomain on our real website (such as
git.{}.com
), and modify everyone'shosts
file to route to our Gitea instance. This would possibly allow our wildcard certificate from the website to be used, but it's clunky as it requires work on every computer.Desired Behavior
Accesses to HTTP NuGet sources are allowed with no warning, but only for certain IP ranges. Namely,
10.0.0.0/8
.Additional Context
192.168.0.0/16
could also be included as it's the "loopback" address, and, as such, will not even leave the current computer.The text was updated successfully, but these errors were encountered: