Use SITE_URL when returning media URLs over the API

[rolandgeider]

See #1181

When returning the image URL over the API, we must prepend/use SITE_URL, otherwise this won't work e.g. when using the docker compose setup where the internal URL is http://localhost/media/123 but from the outside we need to use the configured TLD or at least IP

[rolandgeider]

@mohammadrafigh are the exercise images loaded correctly when you set MEDIA_URL=https://your.tld/media/ in the prod.env? You might also need to reduce the cache time EXERCISE_CACHE_TTL to something like 10 just to make

[mohammadrafigh]

Nope not working. Both SITE_URL and MEDIA_URL are ignored.

[mohammadrafigh]

Ta da! I found the problem, actually it was my fault, I forgot to send Host header from my reverse proxy to the Wger backend.

proxy_set_header Host $host;.

Although I think it's just a workaround for web, the mobile app still doesn't show the images because the host is different. I can set the host manually in nginx. But the correct way to handle it is using SITE_URL or MEDIA_URL for images, So I suggest to keep this issue open.

Thanks for your support

[rolandgeider]

yeah, we definitely want a real solution here

[rolandgeider]

can you check again if MEDIA_URL is ignored? When I set it to something like MEDIA_URL=http://127.0.0.1/media/ the images are returned from there

[mohammadrafigh]

Yes, updated docker image to the latest, the problem still persists even worse for some reason nginx proxy header proxy_set_header Host $host; is not working anymore. Here are my whole configuration files if it helps:

config/prod.env

# Django's secret key, change to a 50 character random string if you are running
# this instance publicly. For an online generator, see e.g. https://djecrety.ir/
SECRET_KEY=my_secret_key

# Signing key used for JWT, use something different than the secret key
SIGNING_KEY=my_signing_key

# The 'from' address used when sending emails
FROM_EMAIL=apps@mydomain.com

# The server's timezone, for a list of possible names:
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
TIME_ZONE=Europe/Stockholm

#
# These settings usually don't need changing
#

#
# Application
ALLOW_REGISTRATION=False
ALLOW_GUEST_USERS=False
ALLOW_UPLOAD_VIDEOS=True
# Note that setting these to true will always perform a sync during startup,
# even if the data is already current and will take some time. Usually you don't
# need to perform these steps so often and a manual trigger (see README) is
# usually enough.
SYNC_EXERCISES_ON_STARTUP=False
DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP=False

#
# Database
DJANGO_DB_ENGINE=django.db.backends.postgresql
DJANGO_DB_DATABASE=wger
DJANGO_DB_USER=wger
DJANGO_DB_PASSWORD=my_db_password
DJANGO_DB_HOST=db
DJANGO_DB_PORT=5432
# Perform any new database migrations on startup
DJANGO_PERFORM_MIGRATIONS=True

#
# Cache
DJANGO_CACHE_BACKEND=django_redis.cache.RedisCache
DJANGO_CACHE_LOCATION=redis://cache:6379/1
# 60*60*24*15, 15 Days
DJANGO_CACHE_TIMEOUT=1296000
DJANGO_CACHE_CLIENT_CLASS=django_redis.client.DefaultClient

#
# Brute force login attacks
# https://django-axes.readthedocs.io/en/latest/index.html
AXES_ENABLED=False
AXES_FAILURE_LIMIT=10
# in minutes
AXES_COOLOFF_TIME=30
AXES_HANDLER=axes.handlers.cache.AxesCacheHandler

#
# Others
DJANGO_DEBUG=False
WGER_USE_GUNICORN=True
EXERCISE_CACHE_TTL=10
SITE_URL=https://wger.mydomain.com
MEDIA_URL=https://wger.mydomain.com/media/

#
# JWT auth
# The lifetime duration of the access token, in minutes
ACCESS_TOKEN_LIFETIME=10
# The lifetime duration of the refresh token, in hours
REFRESH_TOKEN_LIFETIME=24

#
# Other possible settings

# RECAPTCHA_PUBLIC_KEY
# RECAPTCHA_PRIVATE_KEY
# NOCAPTCHA

# https://docs.djangoproject.com/en/4.1/topics/email/#smtp-backend
ENABLE_EMAIL=True
EMAIL_HOST=mail.mydomain.com
EMAIL_PORT=465
EMAIL_HOST_USER=apps
EMAIL_HOST_PASSWORD=my_password
EMAIL_USE_TLS=True
EMAIL_USE_SSL=False

# DJANGO_MEDIA_ROOT
# DJANGO_STATIC_ROOT

And my nginx reverse proxy:

server {
    server_name wger.mydomain.com;

    location / {
        proxy_pass http://localhost:8081;
    proxy_set_header Host $host;
    }

    # Increase max body size to allow for video uploads
    client_max_body_size 100M;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/wger.mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/wger.mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = wger.mydomain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name wger.mydomain.com;

    listen [::]:80 ipv6only=on;
    listen 80;
    return 404; # managed by Certbot

}

[rolandgeider]

Can you check if https://github.com/wger-project/docker/issues/46 is the same problem you have?

[mohammadrafigh]

Nope I don't get CORS or CSRF errors. My urls are broken. Weren't you able to reproduce this problem with docker?

On Thu, Jan 5, 2023, 5:26 PM Roland Geider @.***> wrote:

Can you check if wger-project/docker#46 https://github.com/wger-project/docker/issues/46 is the same problem you have?

— Reply to this email directly, view it on GitHub https://github.com/wger-project/wger/issues/1182#issuecomment-1372245621, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABTM4ZGE22I724NLFSTJLP3WQ3HJJANCNFSM6AAAAAASCTMWSE . You are receiving this because you were mentioned.Message ID: @.***>