Nomad: Nomad UI under a reverse proxy subdirectory

Created on 8 May 2020  路  4Comments  路  Source: hashicorp/nomad

Nomad version

Nomad v0.10.4 (f750636ca68e17dcd2445c1ab9c5a34f9ac69345)

Operating system and Environment details

Windows 10, nginx/1.17.1

Issue

I am trying to get Nomad UI working under a reverse Proxy subdirectory. When it comes to reverse proxy, I followed the steps from this nice article provided by you guys: https://learn.hashicorp.com/nomad/operating-nomad/nginx-reverse-proxy

When I host it under the / location it is no problem. Everything works exactly as decribed on the article.

The trouble starts when I try to host it on another location, '/nomad/' for example. WHat happens on that case is that it seems that the UI from nomad tries to get the resources always from http://localhost/ui, when the expected would be http://localhost/nomad/ui

Would you kindly assist me on the steps I should do to get it working under a reverse proxy subdirectory?

Reproduction steps

My NGINX Config is similar to:

location /Nomad/ { 
   if ($request_uri ~* "/Nomad/(.*)") {
      proxy_pass http://127.0.0.1:4646/$1;
   }            
   proxy_pass http://127.0.0.1:4646;
   proxy_buffering                    off;
   proxy_set_header Host              $http_host;
   proxy_set_header X-Real-IP         $remote_addr;
   proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Upgrade           $http_upgrade;
   proxy_set_header Connection     $http_connection;
   proxy_set_header X-Forwarded-Path  /Nomad;
}

Redirects(in Chrome))

When I get to https://localhost/Nomad, the following events happens:
1.
Request URL: https://localhost/Nomad
Request Method: GET
Status Code: 301 Moved Permanently
Remote Address: [::1]:443
Referrer Policy: no-referrer-when-downgrade

2.
Request URL: https://localhost/Nomad/
Request Method: GET
Status Code: 307 Temporary Redirect
Remote Address: [::1]:443
Referrer Policy: no-referrer-when-downgrade

3.
Request URL: https://localhost/ui/
Request Method: GET
Status Code: 404 Not Found
Remote Address: [::1]:443
Referrer Policy: no-referrer-when-downgrade

As you probaly noticed, after the 307, it tries to reach the /ui, which does not exists and end up with a 404 error...

stagaccepted themui typenhancement
Source
picture pcbl
👍1

Most helpful comment

This is a duplicate of #4479 and #6413.

It's absolutely something we need to get to, but I can't promise a date or a release.

picture DingoEatingFuzz on 9 May 2020
👍5

All 4 comments

Hi @pcbl! The redirect does a hard-coded redirect to /ui, which isn't ideal. You could intercept / in Nginx and rewrite it yourself to avoid that. But it looks like even if you did, you'd run into API calls to /v1/.... I took a look at the HTP server code and it seems we have root paths hard-coded to /ui and /v1.

I'm not sure this is a configuration that can work currently. I'd recommend using a subdomain specific to the Nomad cluster for this use case (which is also better for security because then tokens are scoped to Nomad alone!). But I'm going to tag-in @DingoEatingFuzz here to see if he has more clever ideas than I do.

We could solve for this case in Nomad by adding some kind of "API prefix" configuration flag, but you'd need to have all command line clients configured with the same prefix for the API, so that's a bit of a burden on operators.

tgross picture tgross on 8 May 2020

Hi @tgross , thanks for your feedback.

To be honest I have tried handling also the /ui and so on but as you suspected I saw the /v1 and so on, which I kind of saw it was a not-nice approach.

During my research on this matter, I even saw that for consul there麓s indeed a parameter named -ui-content-path (https://github.com/hashicorp/consul/blob/6adad711255dccc13263b82f8f5aba7a87d42d19/agent/config/flags.go#L116) , but this seems to be not available for nomad... Or Maybe I am missing something?

Another option I have seen related to the project "hashi-ui", but I think this is not directly provided by hashicorp... The parameter is this one

PROXY_ADDRESS | proxy-address | | (optional) The base URL of the UI when running behind a reverse proxy (ie: example.com/nomad/)
-- | -- | -- | --

https://github.com/jippi/hashi-ui/blob/6c9620c05948960f8f6d46bdf91ac955009804af/README.md

pcbl picture pcbl on 8 May 2020

This is a duplicate of #4479 and #6413.

It's absolutely something we need to get to, but I can't promise a date or a release.

DingoEatingFuzz picture DingoEatingFuzz on 9 May 2020
👍5

have the same issue

Oloremo picture Oloremo on 23 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mlafeldt picture mlafeldt  路  3Comments
Smuerdt picture Smuerdt  路  3Comments
joliver picture joliver  路  3Comments
mancusogmu picture mancusogmu  路  3Comments
leowmjw picture leowmjw  路  3Comments