[
https://issues.apache.org/jira/browse/AIRFLOW-571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16618620#comment-16618620
]
ASF GitHub Bot commented on AIRFLOW-571:
----------------------------------------
r39132 closed pull request #1869: [AIRFLOW-571] added --forwarded_allow_ips as
a command line argument to webserver
URL: https://github.com/apache/incubator-airflow/pull/1869
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/airflow/bin/cli.py b/airflow/bin/cli.py
index 21e1d23878..8fda8f5dc1 100755
--- a/airflow/bin/cli.py
+++ b/airflow/bin/cli.py
@@ -45,7 +45,7 @@
from airflow import api
from airflow import jobs, settings
from airflow import configuration as conf
-from airflow.exceptions import AirflowException
+from airflow.exceptions import AirflowException, AirflowConfigException
from airflow.executors import DEFAULT_EXECUTOR
from airflow.models import (DagModel, DagBag, TaskInstance,
DagPickle, DagRun, Variable, DagStat,
@@ -699,6 +699,11 @@ def webserver(args):
if ssl_cert and not ssl_key:
raise AirflowException(
'An SSL key must also be provided for use with ' + ssl_cert)
+ try:
+ forwarded_allow_ips = (args.forwarded_allow_ips or
+ conf.get('webserver', 'forwarded_allow_ips'))
+ except AirflowConfigException:
+ forwarded_allow_ips = None
if args.debug:
print(
@@ -740,6 +745,9 @@ def webserver(args):
if ssl_cert:
run_args += ['--certfile', ssl_cert, '--keyfile', ssl_key]
+ if forwarded_allow_ips:
+ run_args += ['--forwarded-allow-ips', forwarded_allow_ips]
+
run_args += ["airflow.www.app:cached_app()"]
gunicorn_master_proc = subprocess.Popen(run_args)
@@ -1294,6 +1302,10 @@ class CLIFactory(object):
default=conf.get('webserver', 'ERROR_LOGFILE'),
help="The logfile to store the webserver error log. Use '-' to
print to "
"stderr."),
+ 'forwarded_allow_ips': Arg(
+ ("--forwarded_allow_ips", ),
+ default=None,
+ help="Pass gunicorn front-end IPs allowed to handle set secure
headers."),
# resetdb
'yes': Arg(
("-y", "--yes"),
@@ -1469,7 +1481,8 @@ class CLIFactory(object):
'help': "Start a Airflow webserver instance",
'args': ('port', 'workers', 'workerclass', 'worker_timeout',
'hostname',
'pid', 'daemon', 'stdout', 'stderr', 'access_logfile',
- 'error_logfile', 'log_file', 'ssl_cert', 'ssl_key',
'debug'),
+ 'error_logfile', 'log_file', 'ssl_cert', 'ssl_key',
+ 'forwarded_allow_ips', 'debug'),
}, {
'func': resetdb,
'help': "Burn down and rebuild the metadata database",
diff --git a/airflow/configuration.py b/airflow/configuration.py
index 265f7289ea..a86f629493 100644
--- a/airflow/configuration.py
+++ b/airflow/configuration.py
@@ -211,6 +211,12 @@ def run_command(command):
web_server_ssl_cert =
web_server_ssl_key =
+# Pass gunicorn front-end IPs allowed to handle set secure headers.
+# Multiple IPs should be comma separated. Set to * to disable checking.
+# Useful if you are running gunicorn behind a load balancer.
+# See http://docs.gunicorn.org/en/stable/settings.html#forwarded-allow-ips
+# forwarded_allow_ips = *
+
# Number of seconds the gunicorn webserver waits before timing out on a worker
web_server_worker_timeout = 120
@@ -454,6 +460,7 @@ def run_command(command):
dag_orientation = LR
log_fetch_timeout_sec = 5
hide_paused_dags_by_default = False
+forwarded_allow_ips = *
[email]
email_backend = airflow.utils.email.send_email_smtp
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> allow gunicorn config to be passed to airflow webserver
> -------------------------------------------------------
>
> Key: AIRFLOW-571
> URL: https://issues.apache.org/jira/browse/AIRFLOW-571
> Project: Apache Airflow
> Issue Type: Improvement
> Components: webserver
> Reporter: Dennis O'Brien
> Priority: Major
>
> I have run into an issue when running airflow webserver behind a load
> balancer where redirects result in https requests forwarded to http. I ran
> into a similar issue with Caravel which also uses gunicorn.
> https://github.com/airbnb/caravel/issues/978 From that issue:
> {quote}
> When gunicorn is run on a different machine from the load balancer (nginx or
> ELB), it needs to be told explicitly to trust the X-Forwarded-* headers sent.
> gunicorn takes an option --forwarded-allow-ips which can either be a comma
> separated list of ip addresses, or "*" to trust all.
> {quote}
> I don't see a simple way to inject custom arguments to the gunicorn call in
> `webserver()`. Rather than making a special case to set
> --forwarded-allow-ips, it would be nice if the caller of `airflow webserver`
> could pass an additional gunicorn config file.
> The call to gunicorn is already including a -c and I'm not sure gunicorn will
> take multiple configs, so maybe we have to parse the config and include each
> name=value on the gunicorn command line. Any suggestions on how best to
> allow this?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
