mod_subsitute to correct assets/links on proxied applications

[johrstrom]

From discourse: https://discourse.openondemand.org/t/reverse-proxy-response-body-substitution/2232

A quick synopsis of the problem statement is: Apps serve assets without the knowledge of being behind a proxy.

So when they serve assets like so:

<link rel="stylesheet" media="all" href="/app/assets/cool.css">
<script src="/app/assets/cool.js"></script>

We need to inline edit these links like so:

<link rel="stylesheet" media="all" href="/node/abc/123/app/assets/cool.css">
<script src="/node/abc/123/app/assets/cool.js"></script>

Though this is likely not limited to assets. It's likely any relative href and src.

┆Issue is synchronized with this Asana task by Unito

[vanzod]

@johrstrom Thank you for looking into this. Is there any update on this issue? I am currently working on integrating CryoSPARC and happy to test potential solutions.

[johrstrom]

No progress made yet, but I do know of other applications like Label Studio and maybe Spark that could likely use this feature too.

I'll schedule it for 2.2 now.

[mjbludwig]

Leaving this for notes...

Had some slight success with at least loading some of the JS by manually adding the following to /etc/httpd/conf.d/ood-portal.conf:

   <LocationMatch "^/cnode/(?<host>[^/]+)/(?<port>\d+)(?<uri>/.*|)">
    AuthType openid-connect
    Require valid-user

    # ProxyPassReverse implementation
    Header edit Location "^([^/]+//[^/]+)|(?=/)|^([\./]{1,}(?<!/))" "/cnode/%{MATCH_HOST}e/%{MATCH_PORT}e"

    # ProxyPassReverseCookieDomain implemenation
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation
    Header edit* Set-Cookie ";\s*(?i)Path[^;]*" ""
    Header edit  Set-Cookie "^([^;]+)" "$1; Path=/cnode/%{MATCH_HOST}e/%{MATCH_PORT}e"
    #AddOutputFilterByType SUBSTITUTE text/html text/css application/javascript application/json
    AddOutputFilterByType SUBSTITUTE text/html
    RequestHeader unset Accept-Encoding
    Substitute "s|src=\"/|src=\"/cnode/localhost/62155/|ni"
    Substitute "s|href=\"/|href=\"/cnode/localhost/62155/|ni"

    LuaHookFixups node_proxy.lua node_proxy_handler
  </LocationMatch>

For my application and testing I am just running cryosparc at port 62155 right from localhost (same host as the ood server).

The above will partially load the cryosparc login page at https://myood.edu/cnode/localhost/62155/

[vallerul]

May I know if we have any updates to this issue or if it is on track to be completed for the milestone 3.1?

[johrstrom]

I'm going to put some work into this shortly. I do hope that it'll make it to 3.1.

[johrstrom]

I have unfortunate news for the thread - this won't be available until apache2/httpd 2.5.x

Morgan's hard coded example for Substitute directives would have to look more like this, using the variables MATCH_HOST and MATCH_PORT.

    Substitute "s|src=\"/|src=\"<%= @snode_uri %>/%{MATCH_HOST}e/%{MATCH_PORT}e/|ni"
    Substitute "s|href=\"/|href=\"<%= @snode_uri %>/%{MATCH_HOST}e/%{MATCH_PORT}e/|ni"

current docs (2.4) - don't say anything about variables: https://httpd.apache.org/docs/current/mod/mod_substitute.html

Newer docs (2.5) - allow for variables to be used. https://httpd.apache.org/docs/trunk/mod/mod_substitute.html

So we won't be able to actually use the variables until we have a critical mass of operating systems that have httpd 2.5.

[mjbludwig]

Ahh ok thats why. Thanks for filling in that gap for me. I will spend some cycles playing with httpd 2.5 and using these variables and post what I find.

[mjbludwig]

Just FYI per RedHat: Apache httpd 2.5/2.6 is currently NOT included in any of Red Hat product. Reading between the lines probably means "yeah, not gunna happen for a while"

[johrstrom]

Just FYI per RedHat: Apache httpd 2.5/2.6 is currently NOT included in any of Red Hat product. Reading between the lines probably means "yeah, not gunna happen for a while"

Thanks for checking up. They made the dnf module system for this reason, but ... you can't fight city hall and I suppose you can't fight RHEL either.

[treydock]

Apache 2.4 is still the only thing shipped with Fedora and CentOS Stream.

https://koji.fedoraproject.org/koji/packageinfo?packageID=280

Sometimes, if you are feeling adventurous, you can find newer SRPMs from CentOS Stream or Fedora on Fedora's Koji and rebuild them on RHEL8 or RHEL9 and they will generally work with only a few minor tweaks. In this case that doesn't seem possible since all that exists in those upstream distros is Apache 2.4.

[mjbludwig]

Thanks for checking, ./configure; make; make install it is then.