use waitress trusted proxy instead of prefix

Pylons · Jun 6, 2019 · a5ccad0 · a5ccad0
1 parent 6a72e0c
commit a5ccad0
Showing 1 changed file with 16 additions and 20 deletions.
diff --git a/docs/deployment/nginx.rst b/docs/deployment/nginx.rst
@@ -129,10 +129,10 @@ configuration is shown here:
         access_log  /home/example/env/access.log;
 
         location / {
-            proxy_set_header        Host $http_host;
-            proxy_set_header        X-Real-IP $remote_addr;
-            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header        X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host:$server_port;
+            proxy_set_header X-Forwarded-Port $server_port;
 
             client_max_body_size    10m;
             client_body_buffer_size 128k;
@@ -166,7 +166,7 @@ with the ``proxy_pass`` directive. It's important to investigate the
 implications of many of the other settings as they are likely
 application-specific.
 
-The ``header`` directives inform our application of the exact deployment
+The ``proxy_set_header`` directives inform our application of the exact deployment
 setup. They will help the WSGI server configure our environment's
 ``SCRIPT_NAME``, ``HTTP_HOST``, and the actual IP address of the client.
 
@@ -179,38 +179,34 @@ Step 2: Starting pserve
    deployment that has debugging turned off and removing the
    pyramid_debugtoolbar.
 
-This configuration uses PasteDeploy's ``PrefixMiddleware`` to automatically
-convert the ``X-Forwarded-Proto`` into the correct HTTP scheme in the WSGI
+This configuration uses
+`waitress <https://docs.pylonsproject.org/projects/waitress/en/latest/reverse-proxy.html>`__
+to automatically convert the ``X-Forwarded-Proto`` into the correct HTTP scheme in the WSGI
 environment. This is important so that the URLs generated by the application
-can distinguish between different domains, HTTP vs. HTTPS, and with some
-extra configuration to the ``paste_prefix`` filter it can even handle
-hosting the application under a different URL than ``/``.
+can distinguish between different domains, HTTP vs. HTTPS.
 
 .. code-block:: nginx
     :linenos:
 
     #---------- App Configuration ----------
-    [app:myapp]
+    [app:main]
     use = egg:myapp#main
+    
     pyramid.reload_templates = false
     pyramid.debug_authorization = false
     pyramid.debug_notfound = false
     pyramid.default_locale_name = en
 
-    #---------- Pipeline Configuration ----------
-    [filter:paste_prefix]
-    use = egg:PasteDeploy#prefix
-
-    [pipeline:main]
-    pipeline =
-        paste_prefix
-        myapp
-
     #---------- Server Configuration ----------
     [server:main]
     use = egg:waitress#main
     host = 127.0.0.1
     port = %(http_port)s
+    
+    trusted_proxy = 127.0.0.1
+    trusted_proxy_count = 1
+    trusted_proxy_headers = x-forwarded-for x-forwarded-host x-forwarded-proto x-forwarded-port
+    clear_untrusted_proxy_headers = yes
 
     #---------- Logging Configuration ----------
     # ...