Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

redirects change https requests to http locations

See original GitHub issue

I’m running Caravel in AWS with this configuration:

ELB terminates SSL (and accepts only https requests)
Docker container runs gunicorn + caravel

Many requests hang in the browser because the https request is redirected to a http location.

$ curl -Ik https://caravel.example.com/
HTTP/1.1 302 FOUND
Content-Length: 239
Content-Type: text/html; charset=utf-8
Date: Thu, 18 Aug 2016 16:30:20 GMT
Location: http://caravel.example.com/caravel/welcome
Server: gunicorn/19.6.0
Connection: keep-alive

I’m not sure if this is an issue with Caravel or upstream in Flask or Flask-AppBuilder.

I tried setting PREFERRED_URL_SCHEME = 'https' in caravel_config.py hoping that would propagate to flask, but either it did not propagate, or it had no effect. (That config instructs flask what scheme to use when it cannot be determined.)

I think the right way to deal with this is to determine the protocol from the ‘X-Forwarded-Proto’ header. But I’m not sure if this is a bug in Caravel or Flask.

thanks, Dennis

Issue Analytics

State:
Created 7 years ago
Comments:17 (5 by maintainers)

Top GitHub Comments

10reactions

nowak-ninjacommented, May 2, 2019

Hey, I think redirects on ALB/Nginx level from 80 to 443 is a workaround, not a solution. I am not familiar with flask/gunicorn/whatever runs the Superset and anyway tried to force redirects go to https rather than http, but without success. I ended up with redirect solution on ALB, JUST for Superset. Is there ANY other way to force Superset to use https? Middleware or something?

7reactions

dennisobriencommented, Aug 25, 2016

For the record, I found the cause of the problem and the fix. When gunicorn is run on a different machine from the load balancer (nginx or ELB), it needs to be told explicitly to trust the X-Forwarded-* headers sent. gunicorn takes an option --forwarded-allow-ips which can either be a comma separated list of ip addresses, or “*” to trust all.

I’m starting caravel with this command (with gunicorn running behind an ELB):

gunicorn \
  --error-logfile - \
  --access-logfile - \
  -w 8 \
  -k gevent \
  -b 0.0.0.0:8080 \
  --timeout 120 \
  --limit-request-line 0 \
  --limit-request-field_size 0 \
  --forwarded-allow-ips="*" \
  caravel:app

More details are in the gunicorn docs: http://docs.gunicorn.org/en/stable/deploy.html

cheers, Dennis