![]() Many customers struggle with their web server configuration, notably regarding the `--proxy-mode` option and the way `X-Forwarded-*` HTTP request headers are interpreted within Odoo. The `--proxy-mode` section has been updated to cover the most common misunderstandings and to give guidances on how to setup a web server. Odoo always only takes the last entry of the `X-Forwarded-*` request header because there are situations where it is not possible to determine which last n-th entry to use. Employees might access their odoo database via the internal network: connecting directly to nginx, while customers might access the database via an additional proxy such as cloudflare. The real IP of employees would be the last inside the `X-Forwarded-For` chain, while the real IP of customers would be the *second* last entry inside the chain. It would be incorrect to always take the same nth last entry inside the chain. The cloudflare's own IP address must be discarded from the chain. Web servers usually feature a way to ignore trusted IP from the chain, a way so that the real IP of the user is always the last entry inside the chain. Odoo relies on such feature to be active and configured. Prior discussions about `X-Forwarded-For`: * odoo/odoo#104947 * odoo/odoo#118629 * odoo/odoo#139536 All `X-Forwarded-*` headers are ignored in case the `X-Forwarded-Host` header is missing (even with `--proxy-mode`). System admin might be tempted to not set this header and to set `Host` instead, this is broken as this a user-agent would be able to spoof `X-Forwarded-Host` and Odoo would use that instead of the correct `Host`. Prior discussions about `X-Forwarded-Host`: * odoo/odoo#63277 * odoo/odoo#70117 closes odoo/documentation#6729 Signed-off-by: Julien Castiaux (juc) <juc@odoo.com> |
||
---|---|---|
.. | ||
administration | ||
applications | ||
contributing | ||
developer | ||
legal | ||
administration.rst | ||
applications.rst | ||
contributing.rst | ||
developer.rst | ||
index.rst | ||
last_build.rst | ||
legal.rst |