HTTPS Mixed Content for swagger.json with gunicorn

[jslay88]

I have noticed that swagger.json fails to load behind an HTTPS proxy (say, a kubernetes ingress controller) when using gunicorn to serve, but not uWSGI. This happens regardless of passing header X-Forwarded-Proto as recommended in the gunicorn documentation. While the issue probably lies with gunicorn, I have been able to make a slight change to the library which makes it work with gunicorn and uWSGI.

Changing api.specs_url to not use _external on url_for, allows it to return just the relative path to swagger.json, instead of a complete URI (/api/v1/swagger.json vs http://host.com/api/v1/swagger.json) and subsequently allows the JS to load swagger.json. This also falls in line with the behavior of other Django REST middlewares, as well as FastAPI.

flask-restx/flask_restx/api.py

Line 510 in 66d884f

return url_for(self.endpoint("specs"), _external=True)

Repro Steps

1. Run a basic Flask App with Flask-RESTX using gunicorn, and access it from an HTTPS reverse proxy.

Expected Behavior

Ability to load the SwaggerUI from behind an HTTPS reverse proxy using gunicorn. Having the JS load path instead of URI by rendering out api.specs_url not using _external. Ergo, a relative path to swagger.json being passed to the swagger-ui template.

Actual Behavior

RESTX renders out the entire URI using HTTP (because the connection from proxy to gunicorn is HTTP) for the JS to load swagger.json for the SwaggerUI, thus causing a broken SwaggerUI because its trying to load insecure content on a secure site.

Error Messages/Stack Trace

Mixed Content: The page at 'https://host.com/api/v1/' was loaded over HTTPS, but requested an insecure resource 'http://host.com/api/v1/swagger.json'. This request has been blocked; the content must be served over HTTPS.

Environment

• Python version 3.8
• Flask version 1.1.2
• Flask-RESTX version 0.2.0
• Other installed Flask extensions None

Additional Context

Generally, websites use relative paths for their own content.

All of the other static content loaded by the SwaggerUI (CSS, JS bundles, etc) load with relative paths and work. Only swagger.json does not. This is because the swagger_static template filter does not use _external on url_for

flask-restx/flask_restx/apidoc.py

Line 33 in 66d884f

return url_for("restx_doc.static", filename=filename)

[FloLaco]

The flow between Kubernetes Ingress and your container is HTTP or HTTPS ?

[jslay88]

HTTP. Ingress has the public cert. Web -> HTTPS -> Ingress -> HTTP -> container

…

On Fri, Jul 31, 2020 at 08:53 FLaco ***@***.***> wrote: The flow between Kubernetes Ingress and your container is HTTP or HTTPS ? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#188 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABO7UUPGXCT5MTPDHLAR2LLR6LLGDANCNFSM4PLFTR5A> .

[jhampson-dbre]

Are you using ProxyFix as mentioned under Flask Proxy Setups?

import logging
from flask import Flask, request, has_request_context
from werkzeug.middleware.proxy_fix import ProxyFix

app = Flask(__name__)

app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)

@app.before_request
def log_request():
    app.logger.debug("Request Headers %s", request.headers)
    return None

api.init_app(app)

if __name__ == "__main__":
    app.run(host='0.0.0.0')

This fixed a similar issues I was having with swagger.json mixed content message.

[jslay88]

No, as stated, this is not an issue with werkzueg but with gunicorn as the problem does not present with uWSGI. But the other issue lies with the fact that sites should not be using absolute paths with protocols for links to its ownself. There is no reason for RESTX to render out only swagger.json with an absolute path while the rest of the static content for the SwaggerUI is relative. There should be no need for ProxyFix if relative paths are used as they should be. Hence the issue and request for a change. Not to mention, you should never need to do much special at the application side if the reverse proxy itself is setup correctly, which this one is, because the proxy should be transparent to the application.

…

On Fri, Jul 31, 2020 at 11:40 jhampson-dbre ***@***.***> wrote: Are you using ProxyFix <https://werkzeug.palletsprojects.com/en/1.0.x/middleware/proxy_fix/> as mentioned under Flask Proxy Setups <https://flask.palletsprojects.com/en/1.1.x/deploying/wsgi-standalone/#proxy-setups> ? import loggingfrom flask import Flask, request, has_request_contextfrom werkzeug.middleware.proxy_fix import ProxyFix app = Flask(__name__) app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1) @app.before_requestdef log_request(): app.logger.debug("Request Headers %s", request.headers) return None api.init_app(app) if __name__ == "__main__": app.run(host='0.0.0.0') This fixed a similar issues I was having with swagger.json mixed content message. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#188 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABO7UUM3M37WGKKVLTNTVXLR6L6ZTANCNFSM4PLFTR5A> .

[jhampson-dbre]

I just ran into the same issue with a very similar setup (Https reverse proxy with SSL termination at Kubernetes ingress). I'm also using Gunicorn and it works fine in combination with ProxyFix. From the Flask docs, I stumbled upon ProxyFix before messing with any Gunicorn config, but I will go back and take a look at them as an alternative. To your point, ProxyFix is a fairly kludgy solution.

[jhampson-dbre]

After removing ProxyFix and adding forwarded_allow_ips = "*" to my Gunicorn config file, swagger.json is loaded over https with no mixed content error. This is with gunicorn==20.0.4.

In our case, since the forwarded IP is from the kubernetes ingress, I'm not sure how you could provide the full list of IPs to whitelist more conservatively, but it maybe an acceptable risk if you know that all traffic is coming through the ingress.

Using relative path to load swagger.json is still an ideal solution. For a workaround in the middleware layer, both ProxyFix and forwarded_allow_ips have worked as expected in my environment.

[jslay88]

We have just made our own child api class using the RESTX Api class as parent, and overridden the specs_url property to get by for now.

from flask import Blueprint, url_for
from flask_restx import Api


class PatchedApi(Api):
    @property
    def specs_url(self):
        return url_for(self.endpoint('specs'))


api_blueprint = Blueprint('api_v1', __name__, url_prefix='/api/v1')
api = PatchedApi(api_blueprint, title='Test API', version='1.0.0')

[drheinheimer]

Thanks @jslay88! Just a minor correction: should be self.endpoint (singular, not plural). Yes, this issue is a bug.

[dgildeh]

Hi everyone - just hit this error myself deploying a service to Google Cloud Run using Rest_X - the HTML source is trying to load http not https as required. Reading through comments will a fix be coming for this issue soon or do I need to configure something like ProxyFix or patch the API?

[jslay88]

Thanks @jslay88! Just a minor correction: should be self.endpoint (singular, not plural). Yes, this issue is a bug.

Sorry, was doing it from memory.

[drheinheimer]

Hi everyone - just hit this error myself deploying a service to Google Cloud Run using Rest_X - the HTML source is trying to load http not https as required. Reading through comments will a fix be coming for this issue soon or do I need to configure something like ProxyFix or patch the API?

@dgildeh did you resolve this? Patching the API as jslay88 is trivial, and is what the fix presumably would do anyway.

[jslay88]

Opened a PR to try and get things moving forward.