Extra setting for reverse proxy

dieterich-lab · Jun 24, 2024 · 87c7562 · 87c7562
1 parent 5816616
commit 87c7562
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/docker/app_container/files/entry_point.py b/docker/app_container/files/entry_point.py
@@ -46,4 +46,5 @@ def get_secret(path):
 system("cd /app && /app/mini_cron.sh &")
 system(
     f"exec su - app /app/run_flask.sh {environ.get('HTTP_WORKER_PROCESSES')} {environ.get('HTTP_WORKER_TIMEOUT', 30)}"
+    f" {environ.get('HTTP_REVERSE_PROXY_IPS', '')}"
 )
diff --git a/docker/app_container/files/run_flask.sh b/docker/app_container/files/run_flask.sh
@@ -6,4 +6,9 @@ cd /app
 echo '### Upgrading Database ###'
 alembic upgrade head
 echo '### Starting gunicorn ###'
-exec gunicorn -b 0.0.0.0:8000 -w $1 --timeout $2 'scimodom.app:create_app()'
+extra_opts=''
+if [[ -n $3 ]]
+then
+  extra_opts="--forwarded-allow-ips=$3"
+fi
+exec gunicorn -b 0.0.0.0:8000 -w $1 --timeout $2 $extra_opts 'scimodom.app:create_app()'
diff --git a/server/env_example b/server/env_example
@@ -9,6 +9,10 @@ HTTP_WORKER_TIMEOUT=120
 # Usually you will have a reverse proxy in front to terminate TLS.
 # Use it's name below.
 HTTP_PUBLIC_URL=https://scimodom.my-site.org
+# If we run behind a reverse proxy we need to know it's IP address(es) so that we trust
+# the X-Forwarded-Proto header. Otherwise, we might generate incorrect redirects
+# (http instead of https).
+HTTP_REVERSE_PROXY_IPS=...
 
 # Mail server to use. It must be willing to relay emails
 # for your host/SMTP_FROM_ADDRESS.