[Bug] Some asset paths not correct when using reverse proxy

[pvannierop]

Hello and thank you for your application!

Problem

I experience a problem with HistomicsUI when deploying behind a reverse proxy. While most static assets load correctly, the following assets do not respect the new context root of girder:

• /static/built/assets/Girder_Mark-6719b633.png
• /static/built/assets/open-sans-latin-400-33543c5c.woff2
• /static/built/assets/open-sans-latin-700-0edb7628.woff2
• /static/built/assets/fontello-61712e8f.woff2
• /static/built/assets/open-sans-latin-400italic-b61a9055.woff2

In the image below you can see that the me enpoint and Girder_Favicon.png asset are correctly accessed at the https://localhost/dsa/girder/api/v1/user/me and https://localhost/dsa/girder/static/built/Girder_Favicon.png paths, respectively. The problematic assets mentioned above are incorrectly accessed at path https://localhost/static/built/assets (notice missing /dsa/girder part). Note: the redirection is caused by my security setup.

I confirm the problematic assets to be present at expected location after manual update of the path. For instance for https://localhost/dsa/girder/static/built/assets/Girder_Mark-6719b633.png:

I presume that somewhere the HistomicsUI code does not consistently incorporate girder configuration options.

Configuration

Apache config

Listen 80
Listen 443

<VirtualHost *:80>
  ServerName ${APACHE_PROXY_HOSTNAME}
  Redirect / https://${APACHE_PROXY_HOSTNAME}/
</VirtualHost>

<VirtualHost *:443>
  SSLEngine on
  SSLCertificateFile /etc/ssl/cbio_https/cert.crt
  SSLCertificateKeyFile /etc/ssl/cbio_https/key.key
  ServerName ${APACHE_PROXY_HOSTNAME}

  Header always set Strict-Transport-Security "max-age=15768000"

  ErrorLog /tmp/cbio_https_error.log
  LogLevel warn
  CustomLog /tmp/cbio_https_access.log combined

  ProxyRequests Off

  ProxyPass /dsa http://dsa-girder:8080/
  ProxyPassReverse /dsa http://dsa-girder:8080/

  ProxyPreserveHost On

  <Location "/">
    AuthType None
    Require all granted
  </Location>

</VirtualHost>

Girder config

[global]
server.socket_host = "0.0.0.0"
server.max_request_body_size = 1073741824
tools.proxy.on = True

[server]
api_root = "/dsa/girder/api/v1"
static_public_path = "/dsa/girder/static"

[database]
uri = "mongodb://dsa-mongodb:27017/girder"

[logging]
log_access = ["screen", "info"]
log_root = "/logs"

[large_image]
cache_backend: "memcached"
cache_memcached_url: "memcached"
cache_memcached_username: None
cache_memcached_password: None

[cache]
enabled: True

Docker compose file

Note: This compose file extends other compose files not shown here

version: '2.4'
networks:
  dsa-net:
    name: dsa-net

services:

  apache-proxy:
    networks:
      - dsa-net

  dsa-girder:
    networks:
      - dsa-net
    build:
      context: https://github.com/DigitalSlideArchive/digital_slide_archive.git#:devops/dsa
    container_name: dsa-girder
    privileged: true
    # Set CURRENT_UID to your user id (e.g., `CURRENT_UID=$(id -u):$(id -g)`)
    # so that assetstores and logs are owned by yourself.
    user: ${CURRENT_UID}
    restart: unless-stopped
    environment:
      - GIRDER_CONFIG=/conf/girder.local.conf
    command: bash -c 'python /conf/girder_config.py && girder mount /fuse && girder serve'
    volumes:
      # Default assetstore
      - ./service/dsa:/conf # Location of girder.local.conf and girder_config.py
      - ./assetstore:/assetstore
      - ./log:/logs
      - /usr/bin/docker:/usr/bin/docker:ro
      - /var/run/docker.sock:/var/run/docker.sock
      # Needed to mount remote assetstores as if they were filesystems (i.e.,
      # to work fully with S3)
      - /etc/passwd:/etc/passwd:ro
    depends_on:
      - dsa-mongodb
      - dsa-memcached
      - dsa-rabbitmq
  dsa-mongodb:
    networks:
      - dsa-net
    image: "mongo:latest"
    container_name: dsa-mongodb
    user: ${CURRENT_UID}
    restart: unless-stopped
    # TODO fix logging
#    command: --nojournal --logpath /var/log/mongodb/mongodb.log
    command: --nojournal
    volumes:
      - ../dsa_mongodb_files/:/data/db
#      - ./log:/var/log/mongodb
  dsa-memcached:
    networks:
      - dsa-net
    image: memcached
    container_name: dsa-memcached
    command: -m 4096
    restart: unless-stopped
  dsa-rabbitmq:
    networks:
      - dsa-net
    image: "rabbitmq:latest"
    container_name: dsa-rabbitmq
    restart: unless-stopped
    healthcheck:
      test: [ "CMD", "nc", "-z", "localhost", "5672" ]
      interval: 10s
      timeout: 10s
      retries: 5
  dsa-worker:
    networks:
      - dsa-net
    build:
      context: https://github.com/DigitalSlideArchive/digital_slide_archive.git#:devops/dsa
    container_name: dsa-worker
    privileged: true
    # TODO user permission management?
#    user: ${CURRENT_UID:-1001}
    restart: unless-stopped
    command: |
      bash -c "TEMP=${TEMP:-/tmp} python -m girder_worker --concurrency=2 -Ofair --prefetch-multiplier=1 >>/logs/worker.log 2>&1"
    volumes:
      # Location to store logs
      - ./service/dsa/worker.local.cfg:/usr/local/lib/python3.7/site-packages/girder_worker/worker.local.cfg:ro
      - ./log:/logs
      - /usr/bin/docker:/usr/bin/docker:ro
      - /var/run/docker.sock:/var/run/docker.sock
      # Needed to allow transferring data to slicer_cli_web docker containers
      - ${TEMP:-/tmp}:${TEMP:-/tmp}
    environment:
      - C_FORCE_ROOT=true
    depends_on:
      dsa-rabbitmq:
        condition: service_healthy