Closed abceleung closed 5 months ago
Waitress has very strong support for proxy headers. If you want to use flask’s middleware instead you’ll have to turn off the waitress security features. This means setting clear_untrusted_proxy_headers = False
on the waitress server. Alternatively consider configuring waitress instead of using the middleware per the waitress docs.
Waitress has very strong support for proxy headers. If you want to use flask’s middleware instead you’ll have to turn off the waitress security features. This means setting
clear_untrusted_proxy_headers = False
on the waitress server. Alternatively consider configuring waitress instead of using the middleware per the waitress docs.
Hi, I would like to choose the path of least resistance. Since ProxyFix
and Waitress seems to be doing the same thing, can I safely delete ProxyFix
and use Waitress with the long argument list instead?
BTW, should I use Waitress 3.0.0 now? Poetry installed 3.0.0 for me. The docs mark 3.0.0 as (Unreleased)
That’s just a bug in the docs that it didn’t get updated as part of the release. With respect to your issue you’ll see 3.0 changes the default for how waitress handles proxy headers which is what I expect is breaking the ProxyFix, going back to my suggestion above to tell waitress to preserve the headers.
I haven’t tried to use waitress with flask personally but I expect you should be able to remove the ProxyFix middleware and then set trusted_proxy_headers and trusted_proxy in waitress. This is how I use waitress behind nginx with Pyramid. A working example is here: https://docs.pylonsproject.org/projects/waitress/en/stable/reverse-proxy.html
That’s just a bug in the docs that it didn’t get updated as part of the release. With respect to your issue you’ll see 3.0 changes the default for how waitress handles proxy headers which is what I expect is breaking the ProxyFix, going back to my suggestion above to tell waitress to preserve the headers.
I haven’t tried to use waitress with flask personally but I expect you should be able to remove the ProxyFix middleware and then set trusted_proxy_headers and trusted_proxy in waitress. This is how I use waitress behind nginx with Pyramid. A working example is here: https://docs.pylonsproject.org/projects/waitress/en/stable/reverse-proxy.html
Thank you for your answers!
Edit: For future readers: As mmerickel said Waitress 3.0.0 breaks ProxyFix. I tested Waitress 2.x.x and it does not break ProxyFix
Just to clarify: Waitress does not break ProxyFix, Waitress protects your application from receiving untrusted and unvalidated proxy headers that may lead to misbehavior unless you explicitly tell Waitress you want to receive those headers and trust them.
Hi, I have a Flask app behind a NGINX proxy.
app.py:
nginx.conf snippet
I tried the following:
python -m flask run
, then go tohttps://192.168.1.100
(IP of my PC). Flask correctly shows my IP.waitress-serve --port=5000 --call app:create_app
, then go tohttps://192.168.1.100
. Flask shows127.0.0.1
instead.waitress-serve --port=5000 --trusted-proxy=127.0.0.1 --trusted-proxy-headers="x-forwarded-for x-forwarded-host x-forwarded-proto" --call app:create_app
, then go tohttps://192.168.1.100
. Flask shows my IP correctly again.Is this intended behavior? Seems like
ProxyFix
doesn't do anything when using Waitress. Is it safe to removeProxyFix
from the code?From Flask docs: Tell Flask it is Behind a Proxy
Note: Windows 10, Python 3.12.2, Flask 3.0.2, Waitress 3.0.0