Running mturk-manager as a non-root resource

[zeuner]

I'm not sure whether this is a feature request, or there is just some documentation needed for an already existing feature.

I'd like to protect the frontend using TLS because it expects credentials to be entered. To achieve this, I serve TLS using an Apache server and connect it to the plain HTTP mturk-manager frontend using ProxyPass* directives.

This seems to work fine, but it currently requires me to run a separate TLS domain just for mturk-manager because the frontend serves its resources (Javascript, CSS etc.) using root-relative links.

It would be great if only relative links were used, or if there was a way to specify a custom application root for the links. This way, mturk-manager could be served in a subdirectory of an existing TLS domain.

[potthast]

@johanneskiesel @Kritten Wouldn't this be easily accomplished by rewriting some of the URLs throughout the project?

[zeuner]

@potthast I think this is likely correct. Plus, if Django is being used for the URLs in question, Django's powerful URL creation logic might help.

Currently, further investigating this and possibly suggesting a pull request is blocked by another issue: https://github.com/webis-de/mturk-manager/issues/70

[Kritten]

@zeuner Django's URL creation logic is already in use, isn't it? https://github.com/webis-de/mturk-manager/blob/master/mturk_db/api/urls.py

Either way, static assets (javascript, css, ...) are not served by the Django app, the frontend is completely separated from the backend (which is how it should be in my opinion). The frontend needs access to the backend for all of the API-requests, but it shouldn't matter whether the backend is served on a root domain or subdomain.

I think you can (and actually have to) achieve your target setup by correctly configuring your network. But maybe I misunderstood your problem, I'm not very experienced in those network topics :)

[Kritten]

Please also note, that the frontend is a single-page application. I'm not using the templating system of Django at any point! Instead, Django serves only as an API via the Django Rest Framework and graphql.

[zeuner]

Thanks for the pointer. I wasn't aware of the frontend not using Django.

Whether it's a root domain or a subdomain is not important to me. I want to run mturk-manager on the same domain as an existing one, so it can use the same TLS certificate and IP address. For example with an existing "https://mydomain.tld/", mturk-manager should run at "https://mydomain.tld/mturk/". This does not work with the root-relative links mturk-manager-frontend creates by default.

I figured out that a setup as needed can be achieved by adapting publicPath in https://github.com/webis-de/mturk-manager/blob/master/frontend/vue.config.js . Since the resulting links are written into a static HTML file in the docker image, this works only in own builds, and isn't suitable for configuring the docker image at run time.

The Django topic makes me wonder about other characteristics of the network setup possibly relevant for a proper TLs setup:

Is it necessary to also serve the backend publicly, or does it suffice if the frontend nginx can access it (through localhost:8004 by default)?

Also, what about the interaction with Amazon's mTurk infrastructure, and the workers? To what extent is it necessary to expose the frontend and/or backend web server to them?

[zeuner]

Never mind, figured out the backend question myself, obviously it's also necessary to run it publicly.

Seems to make it even more useful to be able to put backend and/or frontend in a subdirectory and save TLS domains.

Is there any problem with putting the backend in a subdirectory? I guess the REST API won't create links to the backend. Any other component that does?

[Kritten]

As far as I'm currently aware off it's only necessary to run the API publicly if you're going to use the block feature of the Mturk Manager. Then it's necessary that the Amazon Mturk-page can access your API from anywhere in the world. Of course, the API always needs a connection to the internet, to use the Amazon Mturk-API to create the HITs.

I think you should be fine to put the backend anywhere you want. Please tell me/us if anything does not work. For example, we run the backend on a specific domain on of our servers which is accessible from the outside. We don't even have a hosted frontend to access this backend. Everybody who wants to use the API simply runs the frontend docker container on his machine and is good to go.