-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redirects change https requests to http locations #978
Comments
We run behind a reverse proxy (nginx) that is https while the site is served by gunicorn on http and redirects are fine on our side. Seems like a configuration issue in your reverse proxy. |
Thanks @mistercrunch Just for kicks, I tried testing this to get an idea of where this might be breaking down. Here's a very simple app that just does a re-direct from '/a' to '/b'.
And testing this in straight-up Flask, the 'X-Forwarded-Proto' header is not recognized. (Notice the Location is https even though the header requested https.)
And running with gunicorn it does handle the 'X-Forwarded-Proto' header. (Notice the Location is https now.)
So gunicorn looks like it should be doing the right thing. I think this can be closed since I believe the problem is not in Caravel. And I'll update this issue with whatever I learn. thanks, |
Thanks for the heads up, closing then. |
For the record, I found the cause of the problem and the fix. When gunicorn is run on a different machine from the load balancer (nginx or ELB), it needs to be told explicitly to trust the X-Forwarded-* headers sent. gunicorn takes an option I'm starting caravel with this command (with gunicorn running behind an ELB):
More details are in the gunicorn docs: cheers, |
@dennisobrien In http://airbnb.io/superset/installation.html#configuration-behind-a-load-balancer
Have you tried this setting? |
I recently ran into this as well when trying to use a AWS load-balancer to a container and fixed it the following way.
|
@ecliptik I'm using the below configuration, running superset in python virtualenv
I'm able to access the application using the ALB endpoint, while logging in, it says "Invalid login", eventhough giving the valid credentials could help me on resolving this. |
I am having similar problem: ALB works find with HTTP, but when I binding HTTPS to the ALB, I get error: 502 Bad Gateway. I have tried to figure out more details about the error, but not much information logged in S3. Is there anywhere I can see more information about this error? There is no any error from the superset console. I suspect the problem happens in ALB, some headers not matched maybe? and I have tried ENABLE_PROXY_FIX = True in superset_config.py and also environment variable FORWARDED_ALLOW_IPS=*, but not luck. my Gunicon version is 19.7.1, superset is 0.18.5. Any suggestion or tip is appreciated! Thanks Jay |
For people may come across the same problem, I have found the problem. By mistake, I set protocol of target group to HTTPS. When I change it to HTTP, everything works! |
@Jie-Yang can you close the issue then? |
@mistercrunch Can we actually re-open it? I'm using the latest Everything is working fine, except that I have superset in an Iframe, and that as soon as the user login, it gets redirected to HTTP and the browser doesn't like it... Here is the call I'm making to the login page with the user being login already, and how it gets redirected back an forth:
The I tried all the config variables listed here, but still nothing:
|
So I slept over this issue and investigate a bit more about Flask application and how these are working behind reverse proxies. It's expecting the
|
@Maxwell2022 hello,I want to use superst in an inframe,I use https url,but redirect to http,can you tell me the file location that contain the config PREFERRED_URL_SCHEME? |
This problem can be easily solved if the application is running behind AWS ALB.
So any redirect happens on the application level will redirect to https. Hope this helps. |
Hey, I think redirects on ALB/Nginx level from 80 to 443 is a workaround, not a solution. I am not familiar with flask/gunicorn/whatever runs the Superset and anyway tried to force redirects go to https rather than http, but without success. I ended up with redirect solution on ALB, JUST for Superset. Is there ANY other way to force Superset to use https? Middleware or something? |
This is still an issue. Cannot use reverse proxy with superset when using it through an iframe. Can we please get this improved in the next version? |
I have added a comment here which worked for me. |
@ajm135x @ajayy1608 It can be fixed with relative URL in my #22355 PR because Werkzeug 2.1.0 uses relative URL by default.
|
I'm running Caravel in AWS with this configuration:
Many requests hang in the browser because the https request is redirected to a http location.
I'm not sure if this is an issue with Caravel or upstream in Flask or Flask-AppBuilder.
I tried setting
PREFERRED_URL_SCHEME = 'https'
in caravel_config.py hoping that would propagate to flask, but either it did not propagate, or it had no effect. (That config instructs flask what scheme to use when it cannot be determined.)I think the right way to deal with this is to determine the protocol from the 'X-Forwarded-Proto' header. But I'm not sure if this is a bug in Caravel or Flask.
thanks,
Dennis
The text was updated successfully, but these errors were encountered: