Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable x_host and x_proto by default through deprecated proxyfix? #1630

Closed
xmo-odoo opened this issue Aug 29, 2019 · 1 comment

Comments

@xmo-odoo
Copy link

commented Aug 29, 2019

When #1314 refactored ProxyFix, it aliased num_proxies to x_for only (as that was the only one which previously supported multiple proxies).

However in doing so it disabled forwarding of host and scheme, which were forwarded by default up to 0.14, which breaks systems relying on this.

I'd like to set x_host=1 and x_proto=1 in 0.15 IFF the user goes through the deprecated wrapper (werkzeug.contrib.fixers.ProxyFix) in order to restore the old behaviour, and maybe add a small warning about this behavioural change to the deprecation message (or possibly in one of the versionchanged blocks of the new version). Would that be acceptable / interesting or a waste of time?

@xmo-odoo xmo-odoo changed the title Enable x_host and x_scheme by default through deprecated proxyfix? Enable x_host and x_proto by default through deprecated proxyfix? Aug 29, 2019

@davidism

This comment has been minimized.

Copy link
Member

commented Aug 31, 2019

Yeah, that sounds good.

I'm fine with adding x_proto=1 for both, not just for the deprecated wrapper, since we think it's fairly low impact on security.

x_host I'm less confident about going forward, as I'm not sure what the impact is if the client can control Host through X-Forwarded-Host when Nginx isn't configured to set it. Odoo probably has a better understanding of HTTP security than I do, so if you have a good argument for leaving it enabled, I'm interested in hearing it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.