From 33035f321a8145b73cbd83ffff4748f253bc5d9e Mon Sep 17 00:00:00 2001 From: Adam Heinz Date: Thu, 22 Apr 2021 13:17:24 -0400 Subject: [PATCH] [IMP] AWS load balancers do not provide X-Forwarded-Host. --- odoo/http.py | 14 ++++++++------ odoo/tools/config.py | 15 +++++++++++++++ 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/odoo/http.py b/odoo/http.py index 479981f6d7856..204df6f168be7 100644 --- a/odoo/http.py +++ b/odoo/http.py @@ -180,11 +180,7 @@ from werkzeug.urls import URL, url_parse, url_encode, url_quote from werkzeug.exceptions import (HTTPException, BadRequest, Forbidden, NotFound, InternalServerError) -try: - from werkzeug.middleware.proxy_fix import ProxyFix as ProxyFix_ - ProxyFix = functools.partial(ProxyFix_, x_for=1, x_proto=1, x_host=1) -except ImportError: - from werkzeug.contrib.fixers import ProxyFix +from werkzeug.middleware.proxy_fix import ProxyFix as ProxyFix_ try: from werkzeug.utils import send_file as _send_file @@ -203,6 +199,12 @@ from .tools._vendor import sessions from .tools._vendor.useragents import UserAgent +ProxyFix = functools.partial(ProxyFix_, + x_for=config['proxy_x_for'], + x_proto=config['proxy_x_proto'], + x_host=config['proxy_x_host'], + x_port=config['proxy_x_port'], + x_prefix=config['proxy_x_prefix']) _logger = logging.getLogger(__name__) @@ -2341,7 +2343,7 @@ def __call__(self, environ, start_response): if hasattr(current_thread, 'uid'): del current_thread.uid - if odoo.tools.config['proxy_mode'] and environ.get("HTTP_X_FORWARDED_HOST"): + if odoo.tools.config['proxy_mode']: # The ProxyFix middleware has a side effect of updating the # environ, see https://github.com/pallets/werkzeug/pull/2184 def fake_app(environ, start_response): diff --git a/odoo/tools/config.py b/odoo/tools/config.py index 7969417d95ee7..38df769a98c23 100644 --- a/odoo/tools/config.py +++ b/odoo/tools/config.py @@ -140,13 +140,28 @@ def __init__(self, fname=None): help="Listen port for the gevent worker", type="int", metavar="PORT") group.add_option("--no-http", dest="http_enable", action="store_false", my_default=True, help="Disable the HTTP and Longpolling services entirely") + + # HTTP: configure werkzeug proxy mode + # https://werkzeug.palletsprojects.com/en/0.16.x/middleware/proxy_fix/ group.add_option("--proxy-mode", dest="proxy_mode", action="store_true", my_default=False, help="Activate reverse proxy WSGI wrappers (headers rewriting) " "Only enable this when running behind a trusted web proxy!") + group.add_option("--proxy-x-for", dest="proxy_x_for", type="int", my_default=1, + help="Number of values to trust for X-Forwarded-For.") + group.add_option("--proxy-x-proto", dest="proxy_x_proto", type="int", my_default=1, + help="Number of values to trust for X-Forwarded-Proto.") + group.add_option("--proxy-x-host", dest="proxy_x_host", type="int", my_default=1, + help="Number of values to trust for X-Forwarded-Host.") + group.add_option("--proxy-x-port", dest="proxy_x_port", type="int", my_default=0, + help="Number of values to trust for X-Forwarded-Port.") + group.add_option("--proxy-x-prefix", dest="proxy_x_prefix", type="int", my_default=0, + help="Number of values to trust for X-Forwarded-Prefix.") + group.add_option("--x-sendfile", dest="x_sendfile", action="store_true", my_default=False, help="Activate X-Sendfile (apache) and X-Accel-Redirect (nginx) " "HTTP response header to delegate the delivery of large " "files (assets/attachments) to the web server.") + # HTTP: hidden backwards-compatibility for "*xmlrpc*" options hidden = optparse.SUPPRESS_HELP group.add_option("--xmlrpc-interface", dest="http_interface", help=hidden)