search

chanzuckerberg / cellxgene

An interactive explorer for single-cell transcriptomics data
https://chanzuckerberg.github.io/cellxgene/
MIT License
626 stars 116 forks source link

[FEATURE REQUEST] Add a server option to prefix all URLs #2319

Open ChiliJohnson opened 3 years ago

ChiliJohnson commented 3 years ago

Is your feature request related to a problem? Please describe. It's currently difficult to run the cellxgene server behind a reverse proxy at a path other than / because no option is provided for changing the base URL of the server.

For example: I want to launch a cellxgene server at https://example.com/my/cellxgene/app using NGINX and proxy_pass to route requests to a cellxgene server running behind it. However, in its current state, the app will not respond to requests rooted at /my/cellxgene/app, only to requests rooted at /, meaning that a request to https://example.com/my/cellxgene/app will result in a 404 returned by the cellxgene server.

Describe the solution you'd like A new launch CLI option like --url-prefix or --base-url-path or something like that which prefixes all the routes/URLs the server uses would solve this problem.

Describe alternatives you've considered It's possible to configure NGINX's proxy_pass to not pass the the URL on to the proxied cellxgene server, which works for the initial requests, but that does not fully solve this problem as subsequent asset requests will still be rooted at / and will result in 404s again.

Additional context Using a reverse proxy can be useful for adding TLS, ensuring authorization to access an app (e.g. using Google SSO), or for running multiple, independent cellxgene servers at different paths under the same domain.

MaximilianLombardo commented 3 years ago

Hey Chili!

Thanks so much for this feature request and the corresponding PR that you submitted to implement it! The team wanted to get a bit more context on the request/pr - would you mind contacting me (mlombardo@chanzuckerberg.com) to discuss a bit further? I'll update this thread with details from the conversation for visibility.

arogozhnikov commented 3 years ago

Hi @MaximilianLombardo, did you end up with any decision on this?

MaximilianLombardo commented 3 years ago

I expect to update you on the issue this week

arogozhnikov commented 3 years ago

@MaximilianLombardo that would be awesome!

alokito commented 3 years ago

Hi @ChiliJohnson ! As you may already be aware, cellxgene-gateway addresses this issue by using the path of the incoming request ("descriptor" in c-g parlance) to determine the backing cellxgene process, and then passes the remaining "subpath" to cellxgene. Furthermore, any absolute paths in the response are rewritten to include the descriptor with "rewrite_text_content". This is implemented here:

https://github.com/Novartis/cellxgene-gateway/blob/master/cellxgene_gateway/cache_entry.py#L133

We also terminate SSL and implement some "coarse-grained" authorization with a different upstream transparent proxy.

Fine-grain auth (dataset level) is on the todo list, this ticket has given me some additional motivation to complete it.

As you may know, the processes in cellxgene-gateway are all running locally on the server; it has long been a goal of mine to support launching docker containers (e.g. on ECS/fargate) to support better scaling, but we have not had time to implement this. Do you have any code that you can share that implements launching docker containers?