NextERP/documentation
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[IMP] developer/reference/cli: --proxy-mode

Browse Source 
Many customers struggle with their web server configuration, notably
regarding the `--proxy-mode` option and the way `X-Forwarded-*` HTTP
request headers are interpreted within Odoo.

The `--proxy-mode` section has been updated to cover the most common
misunderstandings and to give guidances on how to setup a web server.

Odoo always only takes the last entry of the `X-Forwarded-*` request
header because there are situations where it is not possible to
determine which last n-th entry to use. Employees might access their
odoo database via the internal network: connecting directly to nginx,
while customers might access the database via an additional proxy such
as cloudflare. The real IP of employees would be the last inside the
`X-Forwarded-For` chain, while the real IP of customers would be the
*second* last entry inside the chain. It would be incorrect to always
take the same nth last entry inside the chain. The cloudflare's own IP
address must be discarded from the chain. Web servers usually feature
a way to ignore trusted IP from the chain, a way so that the real IP
of the user is always the last entry inside the chain. Odoo relies on
such feature to be active and configured.

Prior discussions about `X-Forwarded-For`:
* odoo/odoo#104947
* odoo/odoo#118629
* odoo/odoo#139536

All `X-Forwarded-*` headers are ignored in case the `X-Forwarded-Host`
header is missing (even with `--proxy-mode`). System admin might be
tempted to not set this header and to set `Host` instead, this is
broken as this a user-agent would be able to spoof `X-Forwarded-Host`
and Odoo would use that instead of the correct `Host`.

Prior discussions about `X-Forwarded-Host`:
* odoo/odoo#63277
* odoo/odoo#70117

closes odoo/documentation#6729

Signed-off-by: Julien Castiaux (juc) <juc@odoo.com>
This commit is contained in:
Julien Castiaux 2023-11-30 11:28:50 +01:00
parent 632039fa74
commit 3d91c57b57
1 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
content/developer/reference/cli.rst
View File

@ -425,7 +425,21 @@ HTTP
.. option:: --proxy-mode
enables the use of ``X-Forwarded-*`` headers through `Werkzeug's proxy
support`_. Only enable this when running behind a trusted web proxy!
support`_.
It ignores all ``X-Forwarded-*`` headers in case ``X-Forwarded-Host`` is
missing from the request.
It always gets the real IP from the last entry of the ``X-Forwarded-For``
chain. Configure your web server accordingly using directives such as
nginx's `set_real_ip_from <https://nginx.org/en/docs/http/ngx_http_realip_module.html>`_
in case there are other trusted proxies along the chain that must be ignored.
``X-Forwarded-Proto`` and ``X-Forwarded-Host`` are used to update the
request root URL, which in turn is used to update the ``web.base.url``
system parameter upon a successful admin authentication. This system
parameter is used to generate all links for the current database; see
:ref:`domain-name/web-base-url`.
.. warning:: proxy mode *must not* be enabled outside of a reverse proxy