alkismavridis commented on issue #49495: URL: https://github.com/apache/airflow/issues/49495#issuecomment-3016568730
I was also encountered the infinite redirect issue even though I run the 3.0.1 docker image. The issue appeared as soon as I added a reverse proxy into the picture. Please note that adding the `--proxy-headers` parameter or the `FORWARDED_ALLOW_IPS` env variable, as you mention in your [documentation](https://airflow.apache.org/docs/apache-airflow/stable/howto/run-behind-proxy.html) did not help. After tones of debugging, and comparing the working with the non working version, I found that the guilty part was the HttpOnly cookies. You see, my reverse proxy was setup in such way to rewrite all Set-Cookie hedears and make all cookies http-only. This was a good practice for the rest of the apps that the reverse proxy serves. But airflow frontend seems to need access the cookie (I checked the localStorage in my browser and I found the token lands there, so I assume JS needs it). In any case, as soon as I removed the HttpOnly Cookie enhancement, it all worked fine. Couple of advices from me, if I may: - Please add to your documentation [here](https://airflow.apache.org/docs/apache-airflow/stable/howto/run-behind-proxy.html) the fact that the reverse proxy should not restrict the cookies to http-only since JS needs to access them. - Once I got this working, I removed the mentioned `--proxy-headers` parameter and the `FORWARDED_ALLOW_IPS` env variable. It still works fine. So maybe these things are not necessary? - Maybe just my opinion, but storing the token in localStorage might not be the best idea. localStorage is of course globaly accessible, which means that even if one malicious JS dependency manages to sneak in somewhere in your dependency tree, we have a security bridge in our hands. Such cases are far from uncommon. The malicious library could be a dependency of a dependency of a dependency that is supposed to pretty-print console messages or something. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
