Fix to Werkzeug ProxyFix; expose ProxyFix configuration items (#8117)

* Fix to werkzeug proxy; expose additional configuration items

* Forced to all x-forwarded configurations ON; black done

* added comments related to x_port after testing

* Updated UPDATING.md

* Removed accidental notebook; added *.ipynb to gitignore

* Delete Untitled-checkpoint.ipynb

.gitignore

@@ -14,6 +14,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+*.ipynb
 *.bak
 *.db
 *.pyc

UPDATING.md

@@ -23,6 +23,11 @@ assists people when migrating to a new version.
 
 ## Next Version
 
+* [8117](https://github.com/apache/incubator-superset/pull/8117): If you are
+using `ENABLE_PROXY_FIX = True`, review the newly-introducted variable,
+`PROXY_FIX_CONFIG`, which changes the proxy behavior in accordance with
+[Werkzeug](https://werkzeug.palletsprojects.com/en/0.15.x/middleware/proxy_fix/)
+
 * [8069](https://github.com/apache/incubator-superset/pull/8069): introduces
 [MessagePack](https://github.com/msgpack/msgpack-python) and
 [PyArrow](https://arrow.apache.org/docs/python/) for async query results

setup.py

@@ -73,7 +73,7 @@ setup(
         "contextlib2",
         "croniter>=0.3.28",
         "cryptography>=2.4.2",
-        "flask>=1.0.0, <2.0.0",
+        "flask>=1.1.0, <2.0.0",
         "flask-appbuilder>=2.1.9, <2.3.0",
         "flask-caching",
         "flask-compress",

superset/__init__.py

@@ -28,7 +28,6 @@ from flask_compress import Compress
 from flask_migrate import Migrate
 from flask_talisman import Talisman
 from flask_wtf.csrf import CSRFProtect
-from werkzeug.contrib.fixers import ProxyFix
 import wtforms_json
 
 from superset import config
@@ -139,7 +138,9 @@ if app.config.get("ENABLE_CORS"):
     CORS(app, **app.config.get("CORS_OPTIONS"))
 
 if app.config.get("ENABLE_PROXY_FIX"):
-    app.wsgi_app = ProxyFix(app.wsgi_app)
+    from werkzeug.middleware.proxy_fix import ProxyFix
+
+    app.wsgi_app = ProxyFix(app.wsgi_app, **app.config.get("PROXY_FIX_CONFIG"))
 
 if app.config.get("ENABLE_CHUNK_ENCODING"):
 

superset/config.py

@@ -123,8 +123,10 @@ FLASK_USE_RELOAD = True
 # and it's more secure to turn it off in production settings.
 SHOW_STACKTRACE = True
 
-# Extract and use X-Forwarded-For/X-Forwarded-Proto headers?
+# Use all X-Forwarded headers when ENABLE_PROXY_FIX is True.
+# When proxying to a different port, set "x_port" to 0 to avoid downstream issues.
 ENABLE_PROXY_FIX = False
+PROXY_FIX_CONFIG = {"x_for": 1, "x_proto": 1, "x_host": 1, "x_port": 1, "x_prefix": 1}
 
 # ------------------------------
 # GLOBALS FOR APP Builder