[FW][IMP] developer/reference/cli: --proxy-mode#6744
Closed
Conversation
Many customers struggle with their web server configuration, notably regarding the `--proxy-mode` option and the way `X-Forwarded-*` HTTP request headers are interpreted within Odoo. The `--proxy-mode` section has been updated to cover the most common misunderstandings and to give guidances on how to setup a web server. Odoo always only takes the last entry of the `X-Forwarded-*` request header because there are situations where it is not possible to determine which last n-th entry to use. Employees might access their odoo database via the internal network: connecting directly to nginx, while customers might access the database via an additional proxy such as cloudflare. The real IP of employees would be the last inside the `X-Forwarded-For` chain, while the real IP of customers would be the *second* last entry inside the chain. It would be incorrect to always take the same nth last entry inside the chain. The cloudflare's own IP address must be discarded from the chain. Web servers usually feature a way to ignore trusted IP from the chain, a way so that the real IP of the user is always the last entry inside the chain. Odoo relies on such feature to be active and configured. Prior discussions about `X-Forwarded-For`: * odoo/odoo#104947 * odoo/odoo#118629 * odoo/odoo#139536 All `X-Forwarded-*` headers are ignored in case the `X-Forwarded-Host` header is missing (even with `--proxy-mode`). System admin might be tempted to not set this header and to set `Host` instead, this is broken as this a user-agent would be able to spoof `X-Forwarded-Host` and Odoo would use that instead of the correct `Host`. Prior discussions about `X-Forwarded-Host`: * odoo/odoo#63277 * odoo/odoo#70117 X-original-commit: 3d91c57
Collaborator
Collaborator
Author
|
@Julien00859 this PR targets master and is the last of the forward-port chain containing:
To merge the full chain, use
More info at https://github.com/odoo/odoo/wiki/Mergebot#forward-port |
Member
|
@fw-bot r+ |
robodoo
pushed a commit
that referenced
this pull request
Dec 3, 2023
Many customers struggle with their web server configuration, notably regarding the `--proxy-mode` option and the way `X-Forwarded-*` HTTP request headers are interpreted within Odoo. The `--proxy-mode` section has been updated to cover the most common misunderstandings and to give guidances on how to setup a web server. Odoo always only takes the last entry of the `X-Forwarded-*` request header because there are situations where it is not possible to determine which last n-th entry to use. Employees might access their odoo database via the internal network: connecting directly to nginx, while customers might access the database via an additional proxy such as cloudflare. The real IP of employees would be the last inside the `X-Forwarded-For` chain, while the real IP of customers would be the *second* last entry inside the chain. It would be incorrect to always take the same nth last entry inside the chain. The cloudflare's own IP address must be discarded from the chain. Web servers usually feature a way to ignore trusted IP from the chain, a way so that the real IP of the user is always the last entry inside the chain. Odoo relies on such feature to be active and configured. Prior discussions about `X-Forwarded-For`: * odoo/odoo#104947 * odoo/odoo#118629 * odoo/odoo#139536 All `X-Forwarded-*` headers are ignored in case the `X-Forwarded-Host` header is missing (even with `--proxy-mode`). System admin might be tempted to not set this header and to set `Host` instead, this is broken as this a user-agent would be able to spoof `X-Forwarded-Host` and Odoo would use that instead of the correct `Host`. Prior discussions about `X-Forwarded-Host`: * odoo/odoo#63277 * odoo/odoo#70117 closes #6744 X-original-commit: 3d91c57 Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Many customers struggle with their web server configuration, notably regarding the
--proxy-modeoption and the wayX-Forwarded-*HTTP request headers are interpreted within Odoo.The
--proxy-modesection has been updated to cover the most common misunderstandings and to give guidances on how to setup a web server.Odoo always only takes the last entry of the
X-Forwarded-*request header because there are situations where it is not possible to determine which last n-th entry to use. Employees might access their odoo database via the internal network: connecting directly to nginx, while customers might access the database via an additional proxy such as cloudflare. The real IP of employees would be the last inside theX-Forwarded-Forchain, while the real IP of customers would be the second last entry inside the chain. It would be incorrect to always take the same nth last entry inside the chain. The cloudflare's own IP address must be discarded from the chain. Web servers usually feature a way to ignore trusted IP from the chain, a way so that the real IP of the user is always the last entry inside the chain. Odoo relies on such feature to be active and configured.Prior discussions about
X-Forwarded-For:proxy_mode = Trueno honoured at all odoo#104947All
X-Forwarded-*headers are ignored in case theX-Forwarded-Hostheader is missing (even with--proxy-mode). System admin might be tempted to not set this header and to setHostinstead, this is broken as this a user-agent would be able to spoofX-Forwarded-Hostand Odoo would use that instead of the correctHost.Prior discussions about
X-Forwarded-Host:Forward-Port-Of: #6729