blob: 6490e3d7f3df30ed55c300cc86b7f7aec60316bc [file] [log] [blame]
.. index:: reverse, proxy, TLS, SSL, https
.. _using-behind-a-reverse-proxy:
============================
Using Behind a Reverse Proxy
============================
Often people will set up "pure Python" web servers behind reverse proxies,
especially if they need TLS support (Waitress does not natively support TLS).
Even if you don't need TLS support, it's not uncommon to see Waitress and
other pure-Python web servers set up to only handle requests behind a reverse proxy;
these proxies often have lots of useful deployment knobs.
If you're using Waitress behind a reverse proxy, you'll almost always want
your reverse proxy to pass along the ``Host`` header sent by the client to
Waitress, in either case, as it will be used by most applications to generate
correct URLs. You may also use the proxy headers if passing ``Host`` directly
is not possible, or there are multiple proxies involved.
For example, when using nginx as a reverse proxy, you might add the following
lines in a ``location`` section.
.. code-block:: nginx
proxy_set_header Host $host;
The Apache directive named ``ProxyPreserveHost`` does something similar when
used as a reverse proxy.
Unfortunately, even if you pass the ``Host`` header, the Host header does not
contain enough information to regenerate the original URL sent by the client.
For example, if your reverse proxy accepts HTTPS requests (and therefore URLs
which start with ``https://``), the URLs generated by your application when
used behind a reverse proxy served by Waitress might inappropriately be
``http://foo`` rather than ``https://foo``. To fix this, you'll want to
change the ``wsgi.url_scheme`` in the WSGI environment before it reaches your
application. You can do this in one of three ways:
1. You can pass a ``url_scheme`` configuration variable to the
``waitress.serve`` function.
2. You can pass certain well known proxy headers from your proxy server and
use waitress's ``trusted_proxy`` support to automatically configure the
WSGI environment.
Using ``url_scheme`` to set ``wsgi.url_scheme``
-----------------------------------------------
You can have the Waitress server use the ``https`` url scheme by default.:
.. code-block:: python
from waitress import serve
serve(wsgiapp, listen='0.0.0.0:8080', url_scheme='https')
This works if all URLs generated by your application should use the ``https``
scheme.
Passing the proxy headers to setup the WSGI environment
-------------------------------------------------------
If your proxy accepts both HTTP and HTTPS URLs, and you want your application
to generate the appropriate url based on the incoming scheme, you'll want to
pass waitress ``X-Forwarded-Proto``, however Waitress is also able to update
the environment using ``X-Forwarded-Proto``, ``X-Forwarded-For``,
``X-Forwarded-Host``, and ``X-Forwarded-Port``::
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
when using Apache, ``mod_proxy`` automatically forwards the following headers::
X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Server
You will also want to add to Apache::
RequestHeader set X-Forwarded-Proto https
Configure waitress's ``trusted_proxy_headers`` as appropriate::
trusted_proxy_headers = "x-forwarded-for x-forwarded-host x-forwarded-proto x-forwarded-port"
At this point waitress will set up the WSGI environment using the information
specified in the trusted proxy headers. This will setup the following
variables::
HTTP_HOST
SERVER_NAME
SERVER_PORT
REMOTE_ADDR
REMOTE_PORT (if available)
wsgi.url_scheme
Waitress also has support for the `Forwarded (RFC7239) HTTP header
<https://tools.ietf.org/html/rfc7239>`_ which is better defined than the ad-hoc
``X-Forwarded-*``, however support is not nearly as widespread yet.
``Forwarded`` supports similar functionality as the different individual
headers, and is mutually exclusive to using the ``X-Forwarded-*`` headers.
To configure waitress to use the ``Forwarded`` header, set::
trusted_proxy_headers = "forwarded"
.. note::
You must also configure the Waitress server's ``trusted_proxy`` to
contain the IP address of the proxy.
Using ``url_prefix`` to influence ``SCRIPT_NAME`` and ``PATH_INFO``
-------------------------------------------------------------------
You can have the Waitress server use a particular url prefix by default for all
URLs generated by downstream applications that take ``SCRIPT_NAME`` into
account.:
.. code-block:: python
from waitress import serve
serve(wsgiapp, listen='0.0.0.0:8080', url_prefix='/foo')
Setting this to any value except the empty string will cause the WSGI
``SCRIPT_NAME`` value to be that value, minus any trailing slashes you add, and
it will cause the ``PATH_INFO`` of any request which is prefixed with this
value to be stripped of the prefix. This is useful in proxying scenarios where
you wish to forward all traffic to a Waitress server but need URLs generated by
downstream applications to be prefixed with a particular path segment.