Permanant redirect 308 redirects from https to http

[copypasteearth]

Hi everyone: I am having an issue that i think might be an nginx issue, i have airflow running behind nginx and neuroglancer also.

this is the error i am getting

[Warning] [blocked] The page at https:/myserver/min/#!%7B%27layers%27%3A%20%5B%7B%27source%27%3A%20%7B%27url%27%3A%20%27precomputed%3A//https%3A//myserver/api/v1/imaging_suite/data/precomputed_volumes//EE35A058-CC87-4984-A207-BE1DDB27062C/Group_1/Sample_1/uCT/%27%7D%2C%20%27type%27%3A%20%27image%27%2C%20%27tab%27%3A%20%27source%27%2C%20%27name%27%3A%20%27uCT%27%2C%20%27visible%27%3A%20true%7D%5D%2C%20%27layout%27%3A%20%273d%27%7D was not allowed to display insecure content from http:/myserver/api/v1/imaging_suite/data/precomputed_volumes/EE35A058-CC87-4984-A207-BE1DDB27062C/Group_1/Sample_1/uCT/info.

[Error] Failed to load resource: Redirect was not allowed (info, line 0) [Error] Fetch API cannot load https://myserver/api/v1/imaging_suite/data/precomputed_volumes//EE35A058-CC87-4984-A207-BE1DDB27062C/Group_1/Sample_1/uCT/info due to access control checks.

is this an nginx config problem?

`#user  nginx;
worker_processes  auto;

#error_log  /var/log/nginx/error.log warn;
#pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    ssl_session_cache   shared:SSL:1m;
    ssl_session_timeout 10m;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  /var/log/nginx/access.log  main;
    client_max_body_size 500M;
    sendfile        on;
    tcp_nopush      on;

    keepalive_timeout  65;

    gzip on;

    # HTTPS server
    #
    server {
       listen       443 ssl;
       server_name  localhost;

       ssl_certificate      /airflow.crt;
       ssl_certificate_key  /domain.key;

       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5d;

       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;

       location / {
          proxy_pass http://localhost:8080;
      proxy_set_header Host $host;
      proxy_redirect off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
       }
       location /min/ {
          root   /Documents/neuroglancer/dist;
            index  index.html;
       }
    }
    include servers/*;
}`

[copypasteearth]

@jbms do you have any idea what might be happening here, it is working fine running from Mac, but when i do this on linux Ubuntu i get the error above. This is a critical time sensitive issue with a deployment we are working on.

[xgui3783]

some observations:

1/ (pretty sure this one is benign)

[Warning] [blocked] The page at https:/myserver/min/<truncated> was not allowed to display insecure content from http:/myserver/api/<truncated>.

the other / is ... escaped somewhere?

2/ it would be helpful to see all network/access logs from browser/nginx

[jbms]

Chrome does not allow accessing http resources from https pages. This is an unfortunate limitation. You will therefore need to either serve neuroglancer from http or serve the data from https.

[copypasteearth]

@jbms it is being served from https as far as i know, it keeps doing a 308 redirect to http though

[copypasteearth]

@xgui3783 do you mean this could be a problem this double slash //

precomputed_volumes//

[xgui3783]

I don't think that is the reason, but it looks slightly strange.

I think network log + access log will tell us more

[copypasteearth]

@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think

[copypasteearth]

@jbms the nginx config file above, the data is being served from https

[xgui3783]

@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think

Umm I wonder if it actually came from airflow, and not nginx then. I will have to dig deeper when I get home.

But I suspect it might have something to do with X-Forwarded-Proto header passed to airflow, and whether airflow respects that.

[jbms]

I don't know what is responsible for the 308 redirect but it seems to be redirecting to http rather than https.

[copypasteearth]

@jbms @xgui3783 is there some way to set nginx to redirect to https?

[copypasteearth]

@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think

Umm I wonder if it actually came from airflow, and not nginx then. I will have to dig deeper when I get home.

But I suspect it might have something to do with X-Forwarded-Proto header passed to airflow, and whether airflow respects that.

@xgui3783 It is a 308 redirect from airflow webserver, i see it when it tries to get the info file, just not sure why it is redirecting to http

[copypasteearth]

Also, it works on my mac with same config although i am using ngrok

This setup is on ubuntu linux

[xgui3783]

I can only imagine you have already read https://airflow.apache.org/docs/apache-airflow/stable/howto/run-behind-proxy.html and implemented

[webserver]
enable_proxy_fix = True

?

(apologies, as I am not very well versed in airflow, so my suggestions are rather generic)

[copypasteearth]

@xgui3783 I'm thinking that I didn't set the SSL certs in airflow so it is redirecting to http.

I thought just specifying the certs in nginx would be good enough. Do you think that may be the issue?

[xgui3783]

I didn't think airflow needed certs, since it is the reverse proxy's job.

I still suspects it is X-Forwarded-Proto (and potentially X-Forwarded-Host, if airflow is also adding your CORS headers).

[xgui3783]

@xgui3783 i posted the web page log above from the custom neuroglancer we are running. For access log it just says 308 permanent redirect i think

Umm I wonder if it actually came from airflow, and not nginx then. I will have to dig deeper when I get home. But I suspect it might have something to do with X-Forwarded-Proto header passed to airflow, and whether airflow respects that.

@xgui3783 It is a 308 redirect from airflow webserver, i see it when it tries to get the info file, just not sure why it is redirecting to http

How much control do you have of the webserver? Can you try to print all the forwarded headers when running behind ngrok vs when running nginx and compare them?

[xgui3783]

Also just found https://www.restack.io/docs/airflow-faq-howto-run-behind-proxy-01

not official doc, but they seem to suggest that you want to add

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

which seems to be missing in your config

[copypasteearth]

@jbms @xgui3783 you can close this. The issue was not setting SSL certs in airflow docker compose so it was running on http and permanently redirecting to http.

Thank you for your time.