Pyramid & gunicorn & nginx + X-Forwarded-Proto

[epe...@emergya.com]

Hi,

We have 2 pyramid (1.5) apps run by gunicorn behind nginx as reverse proxy, both in the same HTTPS vhost. One app is at location /, and the other is at /bla/. This is the relevant configuration of the vhost:

server {

    listen 443 ssl;

    server_name localhost;

    ssl on; 

    ssl_certificate     /etc/nginx/ssl/nginx.crt;

    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers         HIGH:!aNULL:!MD5;

     location /bla/ {

       proxy_pass http://app1.docker:8080/bla/;

       proxy_redirect http://app1.docker:8080/bla/ http://$host/bla/;

       proxy_set_header Host localhost;

       proxy_set_header SCRIPT_NAME /bla;

       proxy_set_header X-Forwarded-Host localhost;

       proxy_set_header X-Forwarded-Proto https;

     }   

     location / { 

       proxy_pass http://app2.docker:8080/;

       proxy_redirect off;

     }   

}

Everything works as expected except for the scheme part of url generation. Calls to static_url in the templates (using pyramid_jinja2 2.1) produce correct URLs except that they use an HTTP scheme. Calls to route_url in the templates produce correct URLs including the scheme. Calls to route_url in python view code produce URLs with incorrect HTTP scheme. Adding a handler for the NewRequest event fixes this issue, like this:

@subscriber(NewRequest)

def set_request_scheme(event):

    if 'HTTP_X_FORWARDED_PROTO' in event.request.environ:

        event.request.scheme = event.request.environ['HTTP_X_FORWARDED_PROTO']

However, I wonder if we are doing something incorrectly, perhaps there is some other header that can be set in nginx, or some particular configuration in pyramid?

[Jonathan Vanasco]

You probably just need this in your .ini:

[app:main]

filter-with = proxy-prefix

[filter:proxy-prefix]

use = egg:PasteDeploy#prefix

[Randall Leeds]

It looks like you'll need to check this setting: http://docs.gunicorn.org/en/19.3/settings.html#forwarded-allow-ips

Trusting the X-Forwarded headers from the open internet is not safe, so gunicorn normally only does so from localhost connections. In your case, the connections to gunicorn will be coming from the docker gateway IP.

--
You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
To post to this group, send email to pylons-...@googlegroups.com.
Visit this group at http://groups.google.com/group/pylons-discuss.
For more options, visit https://groups.google.com/d/optout.

[epe...@emergya.com]

Hi Randall

El viernes, 30 de octubre de 2015, 16:27:33 (UTC+1), Randall Leeds escribió:

It looks like you'll need to check this setting: http://docs.gunicorn.org/en/19.3/settings.html#forwarded-allow-ips

You nailed it. Thank you so much.

[Jonathan Vanasco]

On Friday, October 30, 2015 at 11:27:33 AM UTC-4, Randall Leeds wrote:

It looks like you'll need to check this setting: http://docs.gunicorn.org/en/19.3/settings.html#forwarded-allow-ips

Trusting the X-Forwarded headers from the open internet is not safe, so gunicorn normally only does so from localhost connections. In your case, the connections to gunicorn will be coming from the docker gateway IP.

That's a good catch.  I use `uwsgi` and it's pretty standard on all configs to manually set the `x-forwarded-` headers, so that's the one config they don't have (or do they? there are 300+)

Using the Paste.deploy proxy-prefix middleware is the source of many solutions in this area though.

[Desson Ariawan]

I'm struggling for 3+ hours to setup my server because of same issue...

If I come to this forum earlier :(

Thank you guys,

for my case changing .ini file solving the issue (instead of 3+ hours struggling in nginx.conf)

Regards