Re: [D] Issue embedding Apache Superset dashboards behind reverse proxy (public → private VLAN) [superset]

[via GitHub]

GitHub user dosubot[bot] added a comment to the discussion: Issue embedding 
Apache Superset dashboards behind reverse proxy (public → private VLAN)

<!-- Greeting -->
Hi @akaladmin! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the 
superset team.

<!-- Answer -->
Superset now officially supports running behind a path-based reverse proxy 
(like `/superset/`) as of version 6.0. For earlier versions, subpath 
deployments are unreliable due to hardcoded paths and are not recommended for 
production use. If you’re on 6.0 or newer, here’s what works:

**Superset config (superset_config.py or env):**
```python
APPLICATION_ROOT = '/superset'
STATIC_ASSETS_PREFIX = '/superset'
ENABLE_PROXY_FIX = True
PROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1, "x_port": 1, 
"x_prefix": 1}
```
Or set `SUPERSET_APP_ROOT=/superset` and `STATIC_ASSETS_PREFIX=/superset` as 
environment variables. This ensures all URLs and static assets use the correct 
prefix. `ENABLE_PROXY_FIX` and `PROXY_FIX_CONFIG` let Superset trust the proxy 
headers for correct URL generation and redirects [[config 
reference](https://github.com/apache/superset/blob/master/superset/config.py)].

**nginx config:**
```nginx
location /superset/ {
    proxy_pass http://<private_superset_ip>:8088/;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Prefix /superset/;
    proxy_http_version 1.1;
    port_in_redirect off;
    proxy_connect_timeout 300;
}
```
If you’re running in development mode, you may need a separate block for 
`/superset/static` to proxy static assets correctly [[nginx 
example](https://github.com/apache/superset/blob/master/docker/nginx/templates/superset.conf.template)].

**Troubleshooting:**
- Redirect loops or 404s usually mean the path prefix isn’t set everywhere, or 
proxy headers are missing.
- Make sure `X-Forwarded-Proto` is set to avoid protocol mismatch errors in 
redirects 
[[discussion](https://github.com/apache/superset/discussions/33440#discussioncomment-13148269)].
- For embedding, if you use SSO (like Keycloak) and guest tokens, you can’t mix 
both flows in the same browser session due to global session cookie handling in 
Flask/Superset. Use guest tokens for embedding, and SSO for the full UI, but 
not both in the same session. If you need both, use separate subdomains or 
browsers/incognito windows [[session/cookie 
discussion](https://github.com/apache/superset/discussions/35231#discussioncomment-14477395)].

**If you’re on a version before 6.0:**  
Path-based reverse proxying is not fully supported and will likely break in 
subtle ways (redirects, static assets, hardcoded URLs). The recommended 
workaround is to use a dedicated subdomain (host-based proxying) instead 
[[subpath support status](https://github.com/apache/superset/issues/34896)].

Let me know if you need a full example config or have questions about a 
specific version!


<!-- Dosu Comment Footer -->
*To reply, just mention [@dosu](https://go.dosu.dev/dosubot).*

---
<sup>How did I do? 
[Good](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=great_response)
 | 
[Irrelevant](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=irrelevant_answer)
 | 
[Incorrect](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=incorrect_sources)
 | 
[Verbose](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=too_verbose)
 | 
[Hallucination](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=hallucination)
 | [Report 
🐛](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=bug_report)
 | 
[Other](https://app.dosu.dev/response-feedback/7ce7e94a-ab14-4003-9fb6-06f9fb66015a?feedback_type=other)</sup>

[![Chat with 
Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/a28d3c7e-a9d3-459e-9fb6-3a6f9ff4f357/ask?utm_source=github)&nbsp;[![Open
 in 
Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=Superset%20now%20officially%20supports%20running%20behind%20a%20path-based%20reverse%20proxy%20%28like%20%60/superset/%60%29%20as%20of%20version%206.0.%20For%20earlier%20versions%2C%20subpath%20deployments%20are%20unreliable%20due%20to%20hardcoded%20paths%20and%20are%20not%20recommended%20for%20production%20use.%20If%20you%E2%80%99re%20on%206.0%20or%20newer%2C%20here%E2%80%99s%20what%20works%3A%0A%0A%2A%2ASuperset%20config%20%28superset_config.py%20or%20env%29%3A%2A%2A%0A%60%60%60python%0AAPPLICATION_ROOT%20%3D%20%27/superset%27%0ASTATIC_ASSETS_PREFIX%20%3D%20%27/superset%27%0AENABLE_PROXY_FIX%20%3D%20True%0APROXY_FIX_CONFIG%20%3D%20%7B%22x_for%22%3A%201%2C%20%22x_proto%22%3A%201%2C%20%22x_host%22%3A%201%2C%20%22x_port%22%3A%201%2C%20%22x_prefix%22%3A
 
%201%7D%0A%60%60%60%0AOr%20set%20%60SUPERSET_APP_ROOT%3D/superset%60%20and%20%60STATIC_ASSETS_PREFIX%3D/superset%60%20as%20environment%20variables.%20This%20ensures%20all%20URLs%20and%20static%20assets%20use%20the%20correct%20prefix.%20%60ENABLE_PROXY_FIX%60%20and%20%60PROXY_FIX_CONFIG%60%20let%20Superset%20trust%20the%20proxy%20headers%20for%20correct%20URL%20generation%20and%20redirects%20%5B%5Bconfig%20reference%5D%28https%3A//github.com/apache/superset/blob/master/superset/config.py%29%5D.%0A%0A%2A%2Anginx%20config%3A%2A%2A%0A%60%60%60nginx%0Alocation%20/superset/%20%7B%0A%20%20%20%20proxy_pass%20http%3A//%3Cprivate_superset_ip%3E%3A8088/%3B%0A%20%20%20%20proxy_set_header%20Host%20%24http_host%3B%0A%20%20%20%20proxy_set_header%20X-Real-IP%20%24remote_addr%3B%0A%20%20%20%20proxy_set_header%20X-Forwarded-For%20%24proxy_add_x_forwarded_for%3B%0A%20%20%20%20proxy_set_header%20X-Forwarded-Proto%20%24scheme%3B%0A%20%20%20%20proxy_set_header%20X-Forwarded-Prefix%20/superset/%3B%0A%20%2
 
0%20%20proxy_http_version%201.1%3B%0A%20%20%20%20port_in_redirect%20off%3B%0A%20%20%20%20proxy_connect_timeout%20300%3B%0A%7D%0A%60%60%60%0AIf%20you%E2%80%99re%20running%20in%20development%20mode%2C%20you%20may%20need%20a%20separate%20block%20for%20%60/superset/static%60%20to%20proxy%20static%20assets%20correctly%20%5B%5Bnginx%20example%5D%28https%3A//github.com/apache/superset/blob/master/docker/nginx/templates/superset.conf.template%29%5D.%0A%0A%2A%2ATroubleshooting%3A%2A%2A%0A-%20Redirect%20loops%20or%20404s%20usually%20mean%20the%20path%20prefix%20isn%E2%80%99t%20set%20everywhere%2C%20or%20proxy%20headers%20are%20missing.%0A-%20Make%20sure%20%60X-Forwarded-Proto%60%20is%20set%20to%20avoid%20protocol%20mismatch%20errors%20in%20redirects%20%5B%5Bdiscussion%5D%28https%3A//github.com/apache/superset/discussions/33440%23discussioncomment-13148269%29%5D.%0A-%20For%20embedding%2C%20if%20you%20use%20SSO%20%28like%20Keycloak%29%20and%20guest%20tokens%2C%20you%20can%E2%80%99t%20mix%20both
 
%20flows%20in%20the%20same%20browser%20session%20due%20to%20global%20session%20cookie%20handling%20in%20Flask/Superset.%20Use%20guest%20tokens%20for%20embedding%2C%20and%20SSO%20for%20the%20full%20UI%2C%20but%20not%20both%20in%20the%20same%20session.%20If%20you%20need%20both%2C%20use%20separate%20subdomains%20or%20browsers/incognito%20windows%20%5B%5Bsession/cookie%20discussion%5D%28https%3A//github.com/apache/superset/discussions/35231%23discussioncomment-14477395%29%5D.%0A%0A%2A%2AIf%20you%E2%80%99re%20on%20a%20version%20before%206.0%3A%2A%2A%20%20%0APath-based%20reverse%20proxying%20is%20not%20fully%20supported%20and%20will%20likely%20break%20in%20subtle%20ways%20%28redirects%2C%20static%20assets%2C%20hardcoded%20URLs%29.%20The%20recommended%20workaround%20is%20to%20use%20a%20dedicated%20subdomain%20%28host-based%20proxying%29%20instead%20%5B%5Bsubpath%20support%20status%5D%28https%3A//github.com/apache/superset/issues/34896%29%5D.%0A%0ALet%20me%20know%20if%20you%20need%20a%20ful
 
l%20example%20config%20or%20have%20questions%20about%20a%20specific%20version%21)&nbsp;[![Join
 
Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share
 on 
X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/apache/superset/discussions/37376)

GitHub link: 
https://github.com/apache/superset/discussions/37376#discussioncomment-15576732

----
This is an automatically sent email for notifications@superset.apache.org.
To unsubscribe, please send an email to: 
notifications-unsubscr...@superset.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org
For additional commands, e-mail: notifications-h...@superset.apache.org