Micheal Ascah created AIRFLOW-2977:
--------------------------------------
Summary: Airflow Webserver Behind Reverse Proxy with SSL
Termination
Key: AIRFLOW-2977
URL: https://issues.apache.org/jira/browse/AIRFLOW-2977
Project: Apache Airflow
Issue Type: Improvement
Components: webserver
Affects Versions: 1.10.0
Reporter: Micheal Ascah
Assignee: Micheal Ascah
Currently, there is no way in Airflow to configure gunicorn to allow it to
trust X-Forwarded-* headers from a reverse proxy.
In the scenario where the webserver is being run behind an Application Load
Balancer in AWS that is also performing SSL termination, gunicorn will ignore
the X-Forwarded-Proto header and issue redirects using HTTP instead of HTTPS.
If the load balancer is only accepting traffic over 443, then these redirects
obviously fail.
To resolve this, gunicorn needs to be configured to trust the X-Forwarded
headers. Rather than manually modifying the gunicorn_config.py under www,
(which is still also being used by the new RBAC webserver), the a value should
be able to be provided through the airflow.cfg (or also through an env var).
This configuration is documented by gunicorn under the section regarding
deployment behind a proxy.
[http://docs.gunicorn.org/en/stable/deploy.html]
Proposed to allow a forwarded_allow_ips variable under the `webserver` section
of the airflow.cfg. and set in the gunicorn_config.py.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
