fix(@angular/build): The error message generated when serve angular app by custom hostname

Add custom middleware for to present an Angular-tailored message

Fix #32028

Author: aparzi

packages/angular/build/src/builders/dev-server/tests/options/allowed-hosts_spec.ts

@@ -27,12 +27,13 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT
         ...BASE_OPTIONS,
       });
 
-      const { result, response } = await executeOnceAndGet(harness, '/', {
+      const { result, response, content } = await executeOnceAndGet(harness, '/', {
         request: { headers: FETCH_HEADERS },
       });
 
       expect(result?.success).toBeTrue();
       expect(response?.statusCode).toBe(403);
+      expect(content).toContain('angular.json');
     });
 
     it('does not allow an invalid host when option is an empty array', async () => {
@@ -41,12 +42,13 @@ describeServeBuilder(executeDevServer, DEV_SERVER_BUILDER_INFO, (harness, setupT
         allowedHosts: [],
       });
 
-      const { result, response } = await executeOnceAndGet(harness, '/', {
+      const { result, response, content } = await executeOnceAndGet(harness, '/', {
         request: { headers: FETCH_HEADERS },
       });
 
       expect(result?.success).toBeTrue();
       expect(response?.statusCode).toBe(403);
+      expect(content).toContain('angular.json');
     });
 
     it('allows a host when specified in the option', async () => {

packages/angular/build/src/builders/dev-server/vite/server.ts

@@ -56,7 +56,10 @@ async function createServerConfig(
     strictPort: true,
     host: serverOptions.host,
     open: serverOptions.open,
-    allowedHosts: serverOptions.allowedHosts,
+    // Disable Vite's built-in allowed hosts page so we can present
+    // an Angular-tailored message and keep behavior consistent with CLI options.
+    // Re-implement the host check via a custom middleware.
+    allowedHosts: true,
     headers: serverOptions.headers,
     // Disable the websocket if live reload is disabled (false/undefined are the only valid values)
     ws: serverOptions.liveReload === false && serverOptions.hmr === false ? false : undefined,
@@ -226,6 +229,8 @@ export async function setupServer(
         ssrMode,
         resetComponentUpdates: () => templateUpdates.clear(),
         projectRoot: serverOptions.projectRoot,
+        allowedHosts: serverOptions.allowedHosts,
+        devHost: serverOptions.host,
       }),
       createRemoveIdPrefixPlugin(externalMetadata.explicitBrowser),
       await createAngularSsrTransformPlugin(serverOptions.workspaceRoot),

packages/angular/build/src/tools/vite/middlewares/host-check-middleware.ts

@@ -0,0 +1,116 @@
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.dev/license
+ */
+
+import type { ServerResponse } from 'node:http';
+import type { Connect, ViteDevServer } from 'vite';
+
+function extractHostname(hostHeader: string | undefined): string | undefined {
+  if (!hostHeader) {
+    return undefined;
+  }
+
+  // Remove port if present (e.g., example.com:4200)
+  const idx = hostHeader.lastIndexOf(':');
+  if (idx > -1 && hostHeader.indexOf(']') === -1) {
+    // Skip IPv6 addresses that include ':' within brackets
+    return hostHeader.slice(0, idx).toLowerCase();
+  }
+
+  return hostHeader.toLowerCase();
+}
+
+function isLocalHost(name: string | undefined): boolean {
+  if (!name) return false;
+  return name === 'localhost' || name === '127.0.0.1' || name === '[::1]' || name === '::1';
+}
+
+function html403(hostname: string): string {
+  return `<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Blocked request</title>
+    <style>
+      body{font-family:system-ui,-apple-system,Segoe UI,Roboto,Ubuntu,Cantarell,Noto Sans,sans-serif;line-height:1.4;margin:2rem;color:#1f2937}
+      code{background:#f3f4f6;padding:.15rem .35rem;border-radius:.25rem}
+      .box{max-width:760px;margin:0 auto}
+      h1{font-size:1.5rem;margin-bottom:.75rem}
+      p{margin:.5rem 0}
+      .muted{color:#6b7280}
+      pre{background:#f9fafb;border:1px solid #e5e7eb;padding:.75rem;border-radius:.5rem;overflow:auto}
+    </style>
+  </head>
+  <body>
+    <div class="box">
+      <h1>Blocked request. This host ("${hostname}") is not allowed.</h1>
+      <p>The Angular development server only responds to local hosts by default.</p>
+      <p>To allow this host, add it to <code>allowedHosts</code> under the <code>serve</code> target in <code>angular.json</code>.</p>
+      <pre><code>{
+  "serve": {
+    "options": {
+      "allowedHosts": ["${hostname}"]
+    }
+  }
+}</code></pre>
+    </div>
+  </body>
+  </html>`;
+}
+
+/**
+ * Middleware that enforces host checking using Angular CLI's `allowedHosts` option.
+ *
+ * Vite's own host check is disabled in the server configuration so that we can
+ * present an Angular-specific guidance page when blocked.
+ */
+export function createAngularHostCheckMiddleware(
+  _server: ViteDevServer,
+  allowedHosts: true | string[] | undefined,
+  devHost: string,
+): Connect.NextHandleFunction {
+  // Normalize configured allowed hosts
+  const allowAll = allowedHosts === true;
+  const allowedSet = new Set(
+    Array.isArray(allowedHosts) ? allowedHosts.map((h) => h.toLowerCase()) : [],
+  );
+
+  const devHostLower = devHost?.toLowerCase?.();
+
+  return function angularHostCheckMiddleware(
+    req: Connect.IncomingMessage,
+    res: ServerResponse,
+    next: Connect.NextFunction,
+  ) {
+    if (allowAll) {
+      return next();
+    }
+
+    const hostname = extractHostname(req.headers.host);
+
+    // Always allow local access and the explicit dev host when meaningful
+    if (
+      isLocalHost(hostname) ||
+      (devHostLower && devHostLower !== '0.0.0.0' && hostname === devHostLower)
+    ) {
+      return next();
+    }
+
+    // Allow if present in configured list
+    if (hostname && allowedSet.has(hostname)) {
+      return next();
+    }
+
+    // Block with an Angular-specific 403 page
+    const body = html403(hostname ?? '');
+    res.statusCode = 403;
+    res.setHeader('Content-Type', 'text/html; charset=utf-8');
+    res.setHeader('Content-Length', Buffer.byteLength(body));
+    res.end(body);
+  };
+}

packages/angular/build/src/tools/vite/middlewares/index.ts

@@ -16,3 +16,4 @@ export {
 export { createAngularHeadersMiddleware } from './headers-middleware';
 export { createAngularComponentMiddleware } from './component-middleware';
 export { createChromeDevtoolsMiddleware } from './chrome-devtools-middleware';
+export { createAngularHostCheckMiddleware } from './host-check-middleware';

packages/angular/build/src/tools/vite/plugins/setup-middlewares-plugin.ts

@@ -14,6 +14,7 @@ import {
   createAngularComponentMiddleware,
   createAngularHeadersMiddleware,
   createAngularIndexHtmlMiddleware,
+  createAngularHostCheckMiddleware,
   createAngularSsrExternalMiddleware,
   createAngularSsrInternalMiddleware,
   createChromeDevtoolsMiddleware,
@@ -55,6 +56,8 @@ interface AngularSetupMiddlewaresPluginOptions {
   ssrMode: ServerSsrMode;
   resetComponentUpdates: () => void;
   projectRoot: string;
+  allowedHosts: true | string[];
+  devHost: string;
 }
 
 async function createEncapsulateStyle(): Promise<
@@ -86,6 +89,11 @@ export function createAngularSetupMiddlewaresPlugin(
         resetComponentUpdates,
       } = options;
 
+      // Install host check first to ensure blocked hosts receive a tailored HTML message.
+      server.middlewares.use(
+        createAngularHostCheckMiddleware(server, options.allowedHosts, options.devHost),
+      );
+
       // Headers, assets and resources get handled first
       server.middlewares.use(createAngularHeadersMiddleware(server));
       server.middlewares.use(createAngularComponentMiddleware(server, templateUpdates));