diff --git a/airflow/config_templates/default_airflow.cfg b/airflow/config_templates/default_airflow.cfg index 3d0b2444ed505..1a3768ff74603 100644 --- a/airflow/config_templates/default_airflow.cfg +++ b/airflow/config_templates/default_airflow.cfg @@ -312,6 +312,9 @@ navbar_color = #007A87 # Default dagrun to show in UI default_dag_run_display_number = 25 +# Enable werkzeug `ProxyFix` middleware +enable_proxy_fix = False + [email] email_backend = airflow.utils.email.send_email_smtp diff --git a/airflow/www/app.py b/airflow/www/app.py index 6eea5d2d0ffd5..1140be9aa06e3 100644 --- a/airflow/www/app.py +++ b/airflow/www/app.py @@ -44,7 +44,8 @@ def create_app(config=None, testing=False): app = Flask(__name__) - app.wsgi_app = ProxyFix(app.wsgi_app) + if configuration.conf.getboolean('webserver', 'ENABLE_PROXY_FIX'): + app.wsgi_app = ProxyFix(app.wsgi_app) app.secret_key = configuration.conf.get('webserver', 'SECRET_KEY') app.config['LOGIN_DISABLED'] = not configuration.conf.getboolean( 'webserver', 'AUTHENTICATE') diff --git a/airflow/www_rbac/app.py b/airflow/www_rbac/app.py index 1004764459e39..bdf500d590add 100644 --- a/airflow/www_rbac/app.py +++ b/airflow/www_rbac/app.py @@ -41,7 +41,8 @@ def create_app(config=None, testing=False, app_name="Airflow"): global app, appbuilder app = Flask(__name__) - app.wsgi_app = ProxyFix(app.wsgi_app) + if conf.getboolean('webserver', 'ENABLE_PROXY_FIX'): + app.wsgi_app = ProxyFix(app.wsgi_app) app.secret_key = conf.get('webserver', 'SECRET_KEY') airflow_home_path = conf.get('core', 'AIRFLOW_HOME') diff --git a/docs/integration.rst b/docs/integration.rst index 49c383541f191..2d9bc84c35928 100644 --- a/docs/integration.rst +++ b/docs/integration.rst @@ -64,6 +64,15 @@ Your reverse proxy (ex: nginx) should be configured as follow: } } +To ensure that Airflow generates URLs with the correct scheme when +running behind a TLS-terminating proxy, you should configure the proxy +to set the `X-Forwarded-Proto` header, and enable the `ProxyFix` +middleware in your `airflow.cfg`:: + + enable_proxy_fix = True + +Note: you should only enable the `ProxyFix` middleware when running +Airflow behind a trusted proxy (AWS ELB, nginx, etc.). .. _Azure: