ashb closed pull request #3983: [AIRFLOW-3137] Make ProxyFix middleware optional. URL: https://github.com/apache/incubator-airflow/pull/3983
This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 0028d7832f..bb4ab208d7 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -314,6 +314,9 @@ navbar_color = #007A87 # Default dagrun to show in UI default_dag_run_display_number = 25 +# Enable werkzeug `ProxyFix` middleware +enable_proxy_fix = False + [email] email_backend = airflow.utils.email.send_email_smtp diff --git a/airflow/www/app.py b/airflow/www/app.py index a7f7424cb6..98e3003908 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -47,7 +47,8 @@ def create_app(config=None, testing=False): log = LoggingMixin().log app = Flask(__name__) - app.wsgi_app = ProxyFix(app.wsgi_app) + if configuration.conf.getboolean('webserver', 'ENABLE_PROXY_FIX'): + app.wsgi_app = ProxyFix(app.wsgi_app) app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') app.config['LOGIN_DISABLED'] = not configuration.conf.getboolean( 'webserver', 'AUTHENTICATE') diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index 321185ee9b..392dce1b31 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -41,7 +41,8 @@ def create_app(config=None, session=None, testing=False, app_name="Airflow"): global app, appbuilder app = Flask(__name__) - app.wsgi_app = ProxyFix(app.wsgi_app) + if conf.getboolean('webserver', 'ENABLE_PROXY_FIX'): + app.wsgi_app = ProxyFix(app.wsgi_app) app.secret_key = conf.get('webserver', 'SECRET_KEY') airflow_home_path = conf.get('core', 'AIRFLOW_HOME') diff --git a/docs/integration.rst b/docs/integration.rst index f1ad6c5cb6..6ef7bd8398 100644 --- a/docs/integration.rst +++ b/docs/integration.rst @@ -65,6 +65,15 @@ Your reverse proxy (ex: nginx) should be configured as follow: } } +To ensure that Airflow generates URLs with the correct scheme when +running behind a TLS-terminating proxy, you should configure the proxy +to set the `X-Forwarded-Proto` header, and enable the `ProxyFix` +middleware in your `airflow.cfg`:: + + enable_proxy_fix = True + +Note: you should only enable the `ProxyFix` middleware when running +Airflow behind a trusted proxy (AWS ELB, nginx, etc.). .. _Azure: ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services