diff --git a/odoo/http.py b/odoo/http.py index e4f758dfdbeec..4086363a504e2 100644 --- a/odoo/http.py +++ b/odoo/http.py @@ -148,11 +148,7 @@ from werkzeug.urls import URL, url_parse, url_encode, url_quote from werkzeug.exceptions import (HTTPException, BadRequest, Forbidden, NotFound, InternalServerError) -try: - from werkzeug.middleware.proxy_fix import ProxyFix as ProxyFix_ - ProxyFix = functools.partial(ProxyFix_, x_for=1, x_proto=1, x_host=1) -except ImportError: - from werkzeug.contrib.fixers import ProxyFix +from werkzeug.middleware.proxy_fix import ProxyFix as ProxyFix_ try: from werkzeug.utils import send_file as _send_file @@ -172,6 +168,12 @@ from .tools._vendor import sessions from .tools._vendor.useragents import UserAgent +ProxyFix = functools.partial(ProxyFix_, + x_for=config['proxy_x_for'], + x_proto=config['proxy_x_proto'], + x_host=config['proxy_x_host'], + x_port=config['proxy_x_port'], + x_prefix=config['proxy_x_prefix']) _logger = logging.getLogger(__name__) @@ -1918,7 +1920,7 @@ def __call__(self, environ, start_response): current_thread.query_time = 0 current_thread.perf_t0 = time.time() - if odoo.tools.config['proxy_mode'] and environ.get("HTTP_X_FORWARDED_HOST"): + if odoo.tools.config['proxy_mode']: # The ProxyFix middleware has a side effect of updating the # environ, see https://github.com/pallets/werkzeug/pull/2184 def fake_app(environ, start_response): diff --git a/odoo/tools/config.py b/odoo/tools/config.py index 8edd55827b6a3..225f25b55c76a 100644 --- a/odoo/tools/config.py +++ b/odoo/tools/config.py @@ -142,13 +142,28 @@ def __init__(self, fname=None): help="Listen port for the gevent worker", type="int", metavar="PORT") group.add_option("--no-http", dest="http_enable", action="store_false", my_default=True, help="Disable the HTTP and Longpolling services entirely") + + # HTTP: configure werkzeug proxy mode + # https://werkzeug.palletsprojects.com/en/0.16.x/middleware/proxy_fix/ group.add_option("--proxy-mode", dest="proxy_mode", action="store_true", my_default=False, help="Activate reverse proxy WSGI wrappers (headers rewriting) " "Only enable this when running behind a trusted web proxy!") + group.add_option("--proxy-x-for", dest="proxy_x_for", type="int", my_default=1, + help="Number of values to trust for X-Forwarded-For.") + group.add_option("--proxy-x-proto", dest="proxy_x_proto", type="int", my_default=1, + help="Number of values to trust for X-Forwarded-Proto.") + group.add_option("--proxy-x-host", dest="proxy_x_host", type="int", my_default=1, + help="Number of values to trust for X-Forwarded-Host.") + group.add_option("--proxy-x-port", dest="proxy_x_port", type="int", my_default=0, + help="Number of values to trust for X-Forwarded-Port.") + group.add_option("--proxy-x-prefix", dest="proxy_x_prefix", type="int", my_default=0, + help="Number of values to trust for X-Forwarded-Prefix.") + group.add_option("--x-sendfile", dest="x_sendfile", action="store_true", my_default=False, help="Activate X-Sendfile (apache) and X-Accel-Redirect (nginx) " "HTTP response header to delegate the delivery of large " "files (assets/attachments) to the web server.") + # HTTP: hidden backwards-compatibility for "*xmlrpc*" options hidden = optparse.SUPPRESS_HELP group.add_option("--xmlrpc-interface", dest="http_interface", help=hidden)