Issues with reverse proxy and serving from subdirectory.

[sonicnkt]

I added the following config option to solving issues using nginx as reverse proxy and serving the app in the subdirectory like subdomain.example.com/glauth:

SERVER_NAME = os.environ.get('BASE_URL')

I still cant get this to work tho and only getting 404 erros when trying to access anything.
Any help on this would be very much appreciated :)

I tried:

server {
    listen 443 ssl http2;
    server_name subdomain.example.com;

    include /etc/nginx/ssl-stuff.conf;
    add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options              SAMEORIGIN;
    add_header X-Content-Type-Options       nosniff;
    add_header X-XSS-Protection             "1; mode=block";


    client_max_body_size 100M;

    location ~/glauth(.*) {
        proxy_pass http://127.0.0.1:3005$1;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Port    $server_port;

        }
}

as well as

  location /glauth/ {
        proxy_pass http://127.0.0.1:3005$1;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Port    $server_port;

        }

Settings the SERVER_NAME to subdomain.example.com/glauth makes the all links look correct but it still results in 404 errors. Without the subdirectory everything works without any issues even without the server_name set.

The issues is probably with some of the proxy_header settings but i dont have much experience with this.

[traverseda]

Are you setting APPLICATION_ROOT in flask?

[traverseda]

Also @sonicnkt feel free to ping me if you have a question like this, I have a fair bit of experience with python/flask and I'd like to support this project. Didn't see this issues until now though.

[sonicnkt]

hehe i had not and stumbled upon this setting a few days ago. Didnt have time to test this yet tho. I will try this in the next few days and report back. If i cant get it to work i will gladly ask you for more support :)

[traverseda]

Be aware that if you're trying to use cookie sub-domains (so you can use an example.com cookie on foo.example.com) it's not going to work on localhost based domains. I think a bunch of people would probably want to use this on localhost, so it's something to be aware of.

Traefik will proxy the glauth server instead of the forbidden server when using it's "Authentication Based on Subrequest Result" equivalent, there might be a way to set up nginx similarly. I'm a bit tied in to traefik for complicated reasons, but the forward_auth stuff I'm working on assumes that glauth is proxied instead of the app we want to authenticate for.

Or it could be that you're doing this for some entirely different reason that has nothing to do with cookie domains, in which case ignore all that.

[sonicnkt]

Finally figured this out...
And yeah this is completely unrelated to cookies and i just didn't want to serve the ui in the root of my domain but from a subdirectory.

Since we are using gunicorn for deployment this is completely configured outside of flask and no SERVER_NAME or APPLICATION_ROOT needs to be manually set if you have correct proxy forwarding working. You only have to tell gunicorn that it should serve this from a subdirectory/prefix.

To get this working add the SCRIPT_NAME environment variable to the docker-compose.yml, for example:

SCRIPT_NAME=/account

And configure your proxy like this (nginx):

server {
    listen 443 ssl http2;
    server_name subdomain.example.com;

    include /etc/nginx/ssl-stuff.conf; # SSL Certificates, keys etc

    add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options              SAMEORIGIN;
    add_header X-Content-Type-Options       nosniff;
    add_header X-XSS-Protection             "1; mode=block";

    ... your other locations ...
 
  location /account/ {
        proxy_pass http://127.0.0.1:3005/account/;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto   $scheme;
        proxy_set_header    Host                $host;
        proxy_set_header    X-Forwarded-Host    $host;
        proxy_set_header    X-Forwarded-Port    $server_port;

        }
}

It is important that you also set the path/prefix in the proxy_pass setting.
After this everything works fine and you can access https://subdomain.example.com/account/, all generated urls are correct.