Closed copypasteearth closed 3 months ago
@jbms do you have any idea what might be happening here, it is working fine running from Mac, but when i do this on linux Ubuntu i get the error above. This is a critical time sensitive issue with a deployment we are working on.
some observations:
1/ (pretty sure this one is benign)
[Warning] [blocked] The page at https:/myserver/min/<truncated> was not allowed to display insecure content from http:/myserver/api/<truncated>.
the other /
is ... escaped somewhere?
2/ it would be helpful to see all network/access logs from browser/nginx
Chrome does not allow accessing http resources from https pages. This is an unfortunate limitation. You will therefore need to either serve neuroglancer from http or serve the data from https.
@jbms it is being served from https as far as i know, it keeps doing a 308 redirect to http though
@xgui3783 do you mean this could be a problem this double slash //
precomputed_volumes//
I don't think that is the reason, but it looks slightly strange.
I think network log + access log will tell us more
@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think
@jbms the nginx config file above, the data is being served from https
@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think
Umm I wonder if it actually came from airflow, and not nginx then. I will have to dig deeper when I get home.
But I suspect it might have something to do with X-Forwarded-Proto
header passed to airflow, and whether airflow respects that.
I don't know what is responsible for the 308 redirect but it seems to be redirecting to http rather than https.
@jbms @xgui3783 is there some way to set nginx to redirect to https?
@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think
Umm I wonder if it actually came from airflow, and not nginx then. I will have to dig deeper when I get home.
But I suspect it might have something to do with
X-Forwarded-Proto
header passed to airflow, and whether airflow respects that.
@xgui3783 It is a 308 redirect from airflow webserver, i see it when it tries to get the info file, just not sure why it is redirecting to http
Also, it works on my mac with same config although i am using ngrok
This setup is on ubuntu linux
I can only imagine you have already read https://airflow.apache.org/docs/apache-airflow/stable/howto/run-behind-proxy.html and implemented
[webserver]
enable_proxy_fix = True
?
(apologies, as I am not very well versed in airflow, so my suggestions are rather generic)
@xgui3783 I'm thinking that I didn't set the SSL certs in airflow so it is redirecting to http.
I thought just specifying the certs in nginx would be good enough. Do you think that may be the issue?
I didn't think airflow needed certs, since it is the reverse proxy's job.
I still suspects it is X-Forwarded-Proto
(and potentially X-Forwarded-Host
, if airflow is also adding your CORS headers).
@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think
Umm I wonder if it actually came from airflow, and not nginx then. I will have to dig deeper when I get home. But I suspect it might have something to do with
X-Forwarded-Proto
header passed to airflow, and whether airflow respects that.@xgui3783 It is a 308 redirect from airflow webserver, i see it when it tries to get the info file, just not sure why it is redirecting to http
How much control do you have of the webserver? Can you try to print all the forwarded headers when running behind ngrok vs when running nginx and compare them?
Also just found https://www.restack.io/docs/airflow-faq-howto-run-behind-proxy-01
not official doc, but they seem to suggest that you want to add
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
which seems to be missing in your config
@jbms @xgui3783 you can close this. The issue was not setting SSL certs in airflow docker compose so it was running on http and permanently redirecting to http.
Thank you for your time.
Hi everyone: I am having an issue that i think might be an nginx issue, i have airflow running behind nginx and neuroglancer also.
this is the error i am getting
[Warning] [blocked] The page at https:/myserver/min/#!%7B%27layers%27%3A%20%5B%7B%27source%27%3A%20%7B%27url%27%3A%20%27precomputed%3A//https%3A//myserver/api/v1/imaging_suite/data/precomputed_volumes//EE35A058-CC87-4984-A207-BE1DDB27062C/Group_1/Sample_1/uCT/%27%7D%2C%20%27type%27%3A%20%27image%27%2C%20%27tab%27%3A%20%27source%27%2C%20%27name%27%3A%20%27uCT%27%2C%20%27visible%27%3A%20true%7D%5D%2C%20%27layout%27%3A%20%273d%27%7D was not allowed to display insecure content from http:/myserver/api/v1/imaging_suite/data/precomputed_volumes/EE35A058-CC87-4984-A207-BE1DDB27062C/Group_1/Sample_1/uCT/info.
[Error] Failed to load resource: Redirect was not allowed (info, line 0) [Error] Fetch API cannot load https://myserver/api/v1/imaging_suite/data/precomputed_volumes//EE35A058-CC87-4984-A207-BE1DDB27062C/Group_1/Sample_1/uCT/info due to access control checks.
is this an nginx config problem?