apache2: set x-forwarded headers for all proxied APIs #5
Conversation
|
@samdbmg I note you were the one that added bbc/nmos-common@ed6a34c. Would you mind reviewing this PR as a result? The combination of the two seems to solve issues we saw at our last workshop. Out of interest, is there any harm in that ProxyFix being enabled by default? From a quick test it didn't appear to cause adverse effects for http usage. |
There was a problem hiding this comment.
The same change should probably appear in https://github.com/bbc/nmos-reverse-proxy/blob/master/debian/ips-reverseproxy-common.conf since that's the one installed by the debian package.
Otherwise this works, although /etc/nmoscommon/config.json needs to contain "fix_proxy": "enabled" for it to work; I assume that's one to handle in provisioning.
|
Good catch. I've added that and a version bump. You may not have seen my edited message, but do you think there's any downside to changing the default for fix_proxy to be 'enabled'? |
There was a problem hiding this comment.
Looks good. As for changing the default, the Werkzeug docs say "Do not use this middleware in non-proxy setups for security reasons." (see http://werkzeug.pocoo.org/docs/0.14/contrib/fixers/#werkzeug.contrib.fixers.ProxyFix) - I think because it's possible for clients for forge that header if Apache isn't there to rewrite it. In our case I'm not sure how much that matters; outside development its rare to run a webapi without a real server proxying it and we only use that to fix redirects in a few places?
|
Hmm, ok. I'll leave it for now as I believe at least one open source user may be using the APIs without a proxy in front, but I don't think this is particularly advisable for several reasons, so we may change it in the future. |
No description provided.