Proto not set when running behind reverse proxy

[jcox10]

In our environment, we run most everything behind a NGINX reverse proxy that handles all the SSL termination (we are required to have everything HTTPS). Most everything works properly, except when the flask.url_for generates an external URL, it defaults to standard HTTP. I found this ProxyFix page that has a solution and I tested it with setting app.wsgi_app = ProxyFix(app.wsgi_app, x_proto=1) in the main __init__.py.

However I'm not sure if that is the best option, or if it would be better to add a arg similar to the SERVER_NAME that would be SERVER_PROTO as seen from the client? Then pass that in when generating the url_for?

[briantist]

Thanks for bringing this up! I think this would affect a use case that I'm working on myself so it's really useful :)

While even I am currently only running galactory with the werkzeug server (on my workstation or in CI for example), production use should probably use a different WSGI server. In that case, I think it would be up to the implementer to use ProxyFix when creating their WSGI app.

For the built-in server / CLI usage, adding SERVER_PROTO as you suggest may be the better solution.

Does that sound right to you?

[briantist]

So I am looking into this some more. See the docs for url_for: https://flask.palletsprojects.com/en/0.12.x/api/?highlight=url_for#flask.url_for

The config value we'd set is PREFERRED_URL_SCHEME in order for it to be "implicit" but that value will only be used if we set _external=True, which we're already doing in all of our calls because the URLs are returned in data structures, so that's just something I'll need to be aware of.

I'm testing this out a bit now.

[briantist]

...and I realize now that variable won't work, it's only used when there is no request context (just like it says in the docs), so it can't be implicit. I've implemented it explicitly in testing though; it also surfaced another problem which is setting href in some places to the value of request.url which also would have been incorrect for your described use case, so I have a fix for that as well. I'll have a PR up soon.

[briantist]

@jcox10 would you be able to try the changes in PR #29 ?

You can pull/checkout my branch, or if it's easier to use pip, you can do it this way:

pip install https://github.com/briantist/galactory/archive/urls-under-construction.zip

I've added PREFERRED_URL_SCHEME / --preferred-url-scheme which you can set to https.
Let me know if that works as expected for you!

---

btw you may also be interested in the change I added in #28 , in case you were wanting to use a WSGI server like gunicorn or waitress or something; that change should make it easier to do so while using the existing configuration system. That might be an opportunity for you to inject ProxyFix.

[briantist]

@jcox10 I've merged your changes in #26 🎉 and I've rebased #29 to include those changes

[jcox10]

Thanks! I'll try it out when I am back at work on Monday.

…

On Wed, Dec 14, 2022 at 11:48 AM Brian Scholer ***@***.***> wrote: @jcox10 <https://github.com/jcox10> I've merged your changes in #26 <#26> 🎉 and I've rebased #29 <#29> to include those changes — Reply to this email directly, view it on GitHub <#27 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGCCVQG3CAL77M7DXX4IY7LWNII6LANCNFSM6AAAAAAS5N5IEE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[jcox10]

It looks like the flask auto-redirect to trailing slash doesn't have the correct scheme. The first thing ansible-galaxy does is tries to access /api and then it should get a HTTP308 to /api/. (edit: this was done with ansible-galaxy --server https://my-server-name.com:8888/)

curl https://my-server-name.com:8888/api
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="http://my-server-name.com:8888/api/">http://my-server-name:8888/api/</a>. If not, click the link.

I'm not sure how to configure flask for what scheme it should use for these auto-redirects.

[jcox10]

However maybe I specified my --server argument wrong. If I do ansible-galaxy --server https://my-server-name.com:8888/api/ then it works just fine and ansible-galaxy doesn't try to figure out the api path. So maybe its just important to note that the server must be the full path to the api route with trailing slash?

[briantist]

Thanks @jcox10 this is good information, I'm going to look into it some more and see what else can be done.

When you use the server option that doesn't result in any redirects, is it otherwise working well to address the original issue?

[briantist]

@jcox10 all of the other endpoints in the project define the route twice (once with and one without the trailing /) to avoid the redirects, but I didn't do it on this endpoint. The fix was simply to add the "blank" route. The branch has been updated if you want to take a look and try it again.

Do you have any outstanding concerns or issues about #29?

[jcox10]

It works good, I've been running it for a few days now! Good find on the missing blank route!