search

allegroai / clearml-server

ClearML - Auto-Magical CI/CD to streamline your AI workload. Experiment Management, Data Management, Pipeline, Orchestration, Scheduling & Serving in one MLOps/LLMOps solution
https://clear.ml/docs
Other
364 stars 132 forks source link

nginx proxy forward Host header config is wrong #209

Open chriswue opened 11 months ago

chriswue commented 11 months ago

When running the official clearml docker image with the webserver argument then an nginx instance is spun up. The proxy config rewrites /api paths to forward to the apiserver instance. As part of that it sets the proxy forward Host header to $host which is incorrect because $host refers to the original Host header or original server name (http://nginx.org/en/docs/http/ngx_http_core_module.html#var_host). Instead the variable $proxy_host should be used.

Why is this important: We have ClearML deployed as an Azure Container App and the ingress controller will see a request that goes to the IP of the apiserver container but with a Host header of the webserver and will deny access with a 403. Setting the header like this instead: proxy_set_header Host $proxy_host; solves this problem.

I suspect that this wasn't noticed until now because in a docker-compose environment there is no ingress controller that performs sanity checking and the apiserver doesn't care about the Host header either.

jkhenning commented 11 months ago

Hi @chriswue , makes sense - we'll take a look soon and hopefully merge this as soon as possible :)