1. 技术文章
  2. “No spec provided” error when trying to deliver swagger.json over HTTPS

“No spec provided” error when trying to deliver swagger.json over HTTPS

人盡茶涼 提交于 2019-12-23 07:56:02

问题


If I try to deliver the Swagger UI using Flask RestPlus over HTTPS, I see only the "No spec provided" error message at the root URL, and the full Swagger UI never loads. However, if I visit the API endpoints they return responses as expected.

Looking at the source HTML for the error page, I noticed that swagger.json was being fetched from http://myhost/ rather than https://myhost/

I've discovered exactly the same issue on the restplus Github issues

I've fixed my issue temporarily with the monkey-patch mentioned on that page. The Swagger UI loads, and looking at the HTML source I see that swagger.json is indeed fetched from https://myhost.

Why is this happening, and how can I fix it without the monkey-patching?

HTTPS is courtesy of Cloudflare's "flexible" HTTPS service.

My app is behind Nginx which is configured thus, and hasn't been causing any issues as far as I'm aware:

...
http {
  ...
  server {
    location / {
      charset UTF-8;
      try_files $uri @proxy_to_app;
    }
    location @proxy_to_app {
      charset UTF-8;
      proxy_intercept_errors on;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;
      proxy_redirect off;
      proxy_pass http://127.0.0.1:5000;
    }
  }
}

回答1:


I have used below to get it worked. You can view the stable example in below link.

http://flask-restplus.readthedocs.io/en/stable/example.html

from werkzeug.contrib.fixers import ProxyFix
app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app)



回答2:


I am not sure this is completely secure, but here is how I've fixed it in Nginx: 

sub_filter "http://$host/" "https://$host/";
sub_filter_once off;
proxy_redirect    off;

I am offloading SSL on Nginx and this works without any issues for me. It also removes the need to monkey patch application code.

The method you've listed from flask-restplus issues is definitely considered insecure:

Please keep in mind that it is a security issue to use such a
middleware in a non-proxy setup because it will blindly trust
the incoming headers which might be forged by malicious clients.


来源:https://stackoverflow.com/questions/51292579/no-spec-provided-error-when-trying-to-deliver-swagger-json-over-https

标签
swagger
flask-restplus
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!