[GitHub] ashb closed pull request #3983: [AIRFLOW-3137] Make ProxyFix middleware optional.

Tue, 02 Oct 2018 08:17:35 -0700 

ashb closed pull request #3983: [AIRFLOW-3137] Make ProxyFix middleware 
optional.
URL: https://github.com/apache/incubator-airflow/pull/3983
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/airflow/config_templates/default_airflow.cfg 
b/airflow/config_templates/default_airflow.cfg
index 0028d7832f..bb4ab208d7 100644
--- a/airflow/config_templates/default_airflow.cfg
+++ b/airflow/config_templates/default_airflow.cfg
@@ -314,6 +314,9 @@ navbar_color = #007A87
 # Default dagrun to show in UI
 default_dag_run_display_number = 25
 
+# Enable werkzeug `ProxyFix` middleware
+enable_proxy_fix = False
+
 
 [email]
 email_backend = airflow.utils.email.send_email_smtp
diff --git a/airflow/www/app.py b/airflow/www/app.py
index a7f7424cb6..98e3003908 100644
--- a/airflow/www/app.py
+++ b/airflow/www/app.py
@@ -47,7 +47,8 @@ def create_app(config=None, testing=False):
     log = LoggingMixin().log
 
     app = Flask(__name__)
-    app.wsgi_app = ProxyFix(app.wsgi_app)
+    if configuration.conf.getboolean('webserver', 'ENABLE_PROXY_FIX'):
+        app.wsgi_app = ProxyFix(app.wsgi_app)
     app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY')
     app.config['LOGIN_DISABLED'] = not configuration.conf.getboolean(
         'webserver', 'AUTHENTICATE')
diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py
index 321185ee9b..392dce1b31 100644
--- a/airflow/www_rbac/app.py
+++ b/airflow/www_rbac/app.py
@@ -41,7 +41,8 @@
 def create_app(config=None, session=None, testing=False, app_name="Airflow"):
     global app, appbuilder
     app = Flask(__name__)
-    app.wsgi_app = ProxyFix(app.wsgi_app)
+    if conf.getboolean('webserver', 'ENABLE_PROXY_FIX'):
+        app.wsgi_app = ProxyFix(app.wsgi_app)
     app.secret_key = conf.get('webserver', 'SECRET_KEY')
 
     airflow_home_path = conf.get('core', 'AIRFLOW_HOME')
diff --git a/docs/integration.rst b/docs/integration.rst
index f1ad6c5cb6..6ef7bd8398 100644
--- a/docs/integration.rst
+++ b/docs/integration.rst
@@ -65,6 +65,15 @@ Your reverse proxy (ex: nginx) should be configured as 
follow:
           }
       }
 
+To ensure that Airflow generates URLs with the correct scheme when
+running behind a TLS-terminating proxy, you should configure the proxy
+to set the `X-Forwarded-Proto` header, and enable the `ProxyFix`
+middleware in your `airflow.cfg`::
+
+    enable_proxy_fix = True
+
+Note: you should only enable the `ProxyFix` middleware when running
+Airflow behind a trusted proxy (AWS ELB, nginx, etc.).
 
 .. _Azure:
 


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to