Commit 75b6f9ca authored by Emanuele Aina's avatar Emanuele Aina

Fix HTTPS detection when running behind a proxy

In production the application is currently run behind a TLS-terminating nginx
proxy which forces the `Host` header and sets the `X-Forwarded-For` and
`X-Forwarded-Proto` headers.

However, nothing on the application side handles the `X-Forwarded-*` headers,
causing authentication against GitLab through OAUth2 to fail since the
generated callback URL uses plain `http://` while OAuth2 requires it to
be `https://`, yielding the `The redirect URI included is not valid`
error message.

This adds a `PROXY_COUNT` environment variable to be set to the number of
trusted proxies in front of the application. It defaults to zero to to avoid
issues if malicious actors set the headers above in a non-proxied setup.
Signed-off-by: Emanuele Aina's avatarEmanuele Aina <>
parent 8088bd1d
Pipeline #4143 passed with stage
in 1 minute and 26 seconds
......@@ -16,6 +16,7 @@ services:
- FLASK_SECRET_KEY=<secret_key>
- postgres
......@@ -48,6 +48,12 @@ from flask_dance.contrib.gitlab import make_gitlab_blueprint, gitlab
from flask_dance.consumer import oauth_authorized
app = Flask(__name__)
proxy_count = int(os.getenv('PROXY_COUNT') or 0)
if proxy_count:
from werkzeug.middleware.proxy_fix import ProxyFix
# App is behind proxies that sets the X-Forwarded-For, -Host and -Proto headers.
app = ProxyFix(app, x_for=proxy_count, x_host=proxy_count, x_proto=proxy_count)
# Queue of Jobs.
pending = defaultdict(set)
finished = defaultdict(set)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment