[jira] [Created] (AIRFLOW-2977) Airflow Webserver Behind Reverse Proxy with SSL Termination

["Micheal Ascah (JIRA)" <ji...@apache.org>]

Micheal Ascah created AIRFLOW-2977:
--------------------------------------

             Summary: Airflow Webserver Behind Reverse Proxy with SSL Termination
                 Key: AIRFLOW-2977
                 URL: https://issues.apache.org/jira/browse/AIRFLOW-2977
             Project: Apache Airflow
          Issue Type: Improvement
          Components: webserver
    Affects Versions: 1.10.0
            Reporter: Micheal Ascah
            Assignee: Micheal Ascah


Currently, there is no way in Airflow to configure gunicorn to allow it to trust X-Forwarded-* headers from a reverse proxy.

In the scenario where the webserver is being run behind an Application Load Balancer in AWS that is also performing SSL termination, gunicorn will ignore the X-Forwarded-Proto header and issue redirects using HTTP instead of HTTPS. If the load balancer is only accepting traffic over 443, then these redirects obviously fail.

 

To resolve this, gunicorn needs to be configured to trust the X-Forwarded headers. Rather than manually modifying the gunicorn_config.py under www, (which is still also being used by the new RBAC webserver), the a value should be able to be provided through the airflow.cfg (or also through an env var).

This configuration is documented by gunicorn under the section regarding deployment behind a proxy.

 

[http://docs.gunicorn.org/en/stable/deploy.html]

 

Proposed to allow a forwarded_allow_ips variable under the `webserver` section of the airflow.cfg. and set in the gunicorn_config.py.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)