You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Micheal Ascah (JIRA)" <ji...@apache.org> on 2018/08/29 12:41:01 UTC
[jira] [Updated] (AIRFLOW-2977) Airflow Webserver Behind Reverse
Proxy with SSL Termination
[ https://issues.apache.org/jira/browse/AIRFLOW-2977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Micheal Ascah updated AIRFLOW-2977:
-----------------------------------
Description:
Currently, there is no way in Airflow to configure gunicorn to allow it to trust X-Forwarded-* headers from a reverse proxy.
In the scenario where the webserver is being run behind an Application Load Balancer in AWS that is also performing SSL termination, gunicorn will ignore the X-Forwarded-Proto header and issue redirects using HTTP instead of HTTPS. If the load balancer is only accepting traffic over 443, then these redirects obviously fail.
To resolve this, gunicorn needs to be configured to trust the X-Forwarded headers. Rather than manually modifying the gunicorn_config.py under www, (which is still also being used by the new RBAC webserver), a value should be able to be provided through the airflow.cfg (or also through an env var).
This configuration is documented by gunicorn under the section regarding deployment behind a proxy.
[http://docs.gunicorn.org/en/stable/deploy.html]
Propose to allow a forwarded_allow_ips variable under the `webserver` section of the airflow.cfg. and set in the gunicorn_config.py.
was:
Currently, there is no way in Airflow to configure gunicorn to allow it to trust X-Forwarded-* headers from a reverse proxy.
In the scenario where the webserver is being run behind an Application Load Balancer in AWS that is also performing SSL termination, gunicorn will ignore the X-Forwarded-Proto header and issue redirects using HTTP instead of HTTPS. If the load balancer is only accepting traffic over 443, then these redirects obviously fail.
To resolve this, gunicorn needs to be configured to trust the X-Forwarded headers. Rather than manually modifying the gunicorn_config.py under www, (which is still also being used by the new RBAC webserver), a value should be able to be provided through the airflow.cfg (or also through an env var).
This configuration is documented by gunicorn under the section regarding deployment behind a proxy.
[http://docs.gunicorn.org/en/stable/deploy.html]
Proposed to allow a forwarded_allow_ips variable under the `webserver` section of the airflow.cfg. and set in the gunicorn_config.py.
> Airflow Webserver Behind Reverse Proxy with SSL Termination
> -----------------------------------------------------------
>
> Key: AIRFLOW-2977
> URL: https://issues.apache.org/jira/browse/AIRFLOW-2977
> Project: Apache Airflow
> Issue Type: Improvement
> Components: webserver
> Affects Versions: 1.10.0
> Reporter: Micheal Ascah
> Assignee: Micheal Ascah
> Priority: Minor
>
> Currently, there is no way in Airflow to configure gunicorn to allow it to trust X-Forwarded-* headers from a reverse proxy.
> In the scenario where the webserver is being run behind an Application Load Balancer in AWS that is also performing SSL termination, gunicorn will ignore the X-Forwarded-Proto header and issue redirects using HTTP instead of HTTPS. If the load balancer is only accepting traffic over 443, then these redirects obviously fail.
>
> To resolve this, gunicorn needs to be configured to trust the X-Forwarded headers. Rather than manually modifying the gunicorn_config.py under www, (which is still also being used by the new RBAC webserver), a value should be able to be provided through the airflow.cfg (or also through an env var).
> This configuration is documented by gunicorn under the section regarding deployment behind a proxy.
>
> [http://docs.gunicorn.org/en/stable/deploy.html]
>
> Propose to allow a forwarded_allow_ips variable under the `webserver` section of the airflow.cfg. and set in the gunicorn_config.py.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)