[Bug] Some asset paths not correct when using reverse proxy
Opened this issue · 0 comments
Hello and thank you for your application!
Problem
I experience a problem with HistomicsUI when deploying behind a reverse proxy. While most static assets load correctly, the following assets do not respect the new context root of girder:
- /static/built/assets/Girder_Mark-6719b633.png
- /static/built/assets/open-sans-latin-400-33543c5c.woff2
- /static/built/assets/open-sans-latin-700-0edb7628.woff2
- /static/built/assets/fontello-61712e8f.woff2
- /static/built/assets/open-sans-latin-400italic-b61a9055.woff2
In the image below you can see that the me enpoint and Girder_Favicon.png asset are correctly accessed at the https://localhost/dsa/girder/api/v1/user/me and https://localhost/dsa/girder/static/built/Girder_Favicon.png paths, respectively. The problematic assets mentioned above are incorrectly accessed at path https://localhost/static/built/assets (notice missing /dsa/girder part). Note: the redirection is caused by my security setup.
I confirm the problematic assets to be present at expected location after manual update of the path. For instance for https://localhost/dsa/girder/static/built/assets/Girder_Mark-6719b633.png:
I presume that somewhere the HistomicsUI code does not consistently incorporate girder configuration options.
Configuration
Apache config
Listen 80
Listen 443
<VirtualHost *:80>
ServerName ${APACHE_PROXY_HOSTNAME}
Redirect / https://${APACHE_PROXY_HOSTNAME}/
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/cbio_https/cert.crt
SSLCertificateKeyFile /etc/ssl/cbio_https/key.key
ServerName ${APACHE_PROXY_HOSTNAME}
Header always set Strict-Transport-Security "max-age=15768000"
ErrorLog /tmp/cbio_https_error.log
LogLevel warn
CustomLog /tmp/cbio_https_access.log combined
ProxyRequests Off
ProxyPass /dsa http://dsa-girder:8080/
ProxyPassReverse /dsa http://dsa-girder:8080/
ProxyPreserveHost On
<Location "/">
AuthType None
Require all granted
</Location>
</VirtualHost>
Girder config
[global]
server.socket_host = "0.0.0.0"
server.max_request_body_size = 1073741824
tools.proxy.on = True
[server]
api_root = "/dsa/girder/api/v1"
static_public_path = "/dsa/girder/static"
[database]
uri = "mongodb://dsa-mongodb:27017/girder"
[logging]
log_access = ["screen", "info"]
log_root = "/logs"
[large_image]
cache_backend: "memcached"
cache_memcached_url: "memcached"
cache_memcached_username: None
cache_memcached_password: None
[cache]
enabled: True
Docker compose file
Note: This compose file extends other compose files not shown here
version: '2.4'
networks:
dsa-net:
name: dsa-net
services:
apache-proxy:
networks:
- dsa-net
dsa-girder:
networks:
- dsa-net
build:
context: https://github.com/DigitalSlideArchive/digital_slide_archive.git#:devops/dsa
container_name: dsa-girder
privileged: true
# Set CURRENT_UID to your user id (e.g., `CURRENT_UID=$(id -u):$(id -g)`)
# so that assetstores and logs are owned by yourself.
user: ${CURRENT_UID}
restart: unless-stopped
environment:
- GIRDER_CONFIG=/conf/girder.local.conf
command: bash -c 'python /conf/girder_config.py && girder mount /fuse && girder serve'
volumes:
# Default assetstore
- ./service/dsa:/conf # Location of girder.local.conf and girder_config.py
- ./assetstore:/assetstore
- ./log:/logs
- /usr/bin/docker:/usr/bin/docker:ro
- /var/run/docker.sock:/var/run/docker.sock
# Needed to mount remote assetstores as if they were filesystems (i.e.,
# to work fully with S3)
- /etc/passwd:/etc/passwd:ro
depends_on:
- dsa-mongodb
- dsa-memcached
- dsa-rabbitmq
dsa-mongodb:
networks:
- dsa-net
image: "mongo:latest"
container_name: dsa-mongodb
user: ${CURRENT_UID}
restart: unless-stopped
# TODO fix logging
# command: --nojournal --logpath /var/log/mongodb/mongodb.log
command: --nojournal
volumes:
- ../dsa_mongodb_files/:/data/db
# - ./log:/var/log/mongodb
dsa-memcached:
networks:
- dsa-net
image: memcached
container_name: dsa-memcached
command: -m 4096
restart: unless-stopped
dsa-rabbitmq:
networks:
- dsa-net
image: "rabbitmq:latest"
container_name: dsa-rabbitmq
restart: unless-stopped
healthcheck:
test: [ "CMD", "nc", "-z", "localhost", "5672" ]
interval: 10s
timeout: 10s
retries: 5
dsa-worker:
networks:
- dsa-net
build:
context: https://github.com/DigitalSlideArchive/digital_slide_archive.git#:devops/dsa
container_name: dsa-worker
privileged: true
# TODO user permission management?
# user: ${CURRENT_UID:-1001}
restart: unless-stopped
command: |
bash -c "TEMP=${TEMP:-/tmp} python -m girder_worker --concurrency=2 -Ofair --prefetch-multiplier=1 >>/logs/worker.log 2>&1"
volumes:
# Location to store logs
- ./service/dsa/worker.local.cfg:/usr/local/lib/python3.7/site-packages/girder_worker/worker.local.cfg:ro
- ./log:/logs
- /usr/bin/docker:/usr/bin/docker:ro
- /var/run/docker.sock:/var/run/docker.sock
# Needed to allow transferring data to slicer_cli_web docker containers
- ${TEMP:-/tmp}:${TEMP:-/tmp}
environment:
- C_FORCE_ROOT=true
depends_on:
dsa-rabbitmq:
condition: service_healthy