Caravel redirects HTTPS-terminated load balancer traffic to HTTP #1139
Comments
|
Seems like there's a solution here: I'd approve a PR that would add to |
bobziuchkovski
added a commit
to usertesting/caravel
that referenced
this issue
Sep 20, 2016
Add an ENABLE_PROXY_FIX config param. When set to True, insert the Werkzeug ProxyFix middleware. This middleware extracts and applies the X-Forwarded-* headers that are inserted by common proxies and load balancers. Fixes apache#1139.
bobziuchkovski
added a commit
to usertesting/caravel
that referenced
this issue
Sep 20, 2016
Add an ENABLE_PROXY_FIX config param. When set to True, insert the Werkzeug ProxyFix middleware. This middleware extracts and applies the X-Forwarded-* headers that are inserted by common proxies and load balancers. Fixes apache#1139.
|
@mistercrunch Thanks for pointing that out. I've submitted a PR (#1150) that adds the ProxyFix support. We just deployed 0.10.0 with that commit cherry-picked and confirmed we're no longer being redirected from https to http. |
mistercrunch
pushed a commit
that referenced
this issue
Sep 20, 2016
Add an ENABLE_PROXY_FIX config param. When set to True, insert the Werkzeug ProxyFix middleware. This middleware extracts and applies the X-Forwarded-* headers that are inserted by common proxies and load balancers. Fixes #1139.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We're trying to run caravel 0.10.0 behind a load balancer on Amazon and terminate HTTPS/SSL traffic on the load balancer. We've noticed that we can access
https://<caravel-behind-lb>/login, but when we supply user credentials, caravel redirects back to the plaintexthttp://<caravel-behind-lb>/loginlocation. This is a bummer, and has been flagged as part of a third-party security audit.Is there a configuration option we're missing to tell caravel to use https urls, or to tell it to respect
X-Forwarded-Protoheaders?The text was updated successfully, but these errors were encountered: