Preserve protocol from client #22
Comments
|
Let me look into this again... I sware it fixes adn comes back |
|
There may be a mirror hardcoded to a protocol, or redirecting rather our tool |
|
Jep, known and expected, still, sadly. I just reloaded the uWSGI server and now it should work. But after some hours it will again fail. As discussed earlier in related issues and discord, it seems to be some response caching. Since Armbian ships images with plain HTTP in APT sources, nearly all answers will contain the plain HTTP URL, and after a while the cache (presumably) serves the same plain HTTP URLs as well when the request actually was via HTTPS. I didn't find time to look into the used Docker container, but since it is a 4 stage request handling (host Nginx => container Nginx => uWSGI => flask), all of them need to be checked for possible caches. The logic in the flask app is definitely correct, which is proven by the fact that after a reload it works as expected for some hours. |
|
ahh okay.. sounds like I need to run this app in a different base container... aka... no nginx.. just uwsgi... or gnuicorn. |
|
that will simplify the first part..and make it user to tune the appserver layer |
|
If I remember right, the used Docker container has Nginx right included: https://github.com/tiangolo/uwsgi-nginx-flask-docker The container's Nginx would then basically be unused, probably its startup can be prevented when starting the container. EDIT: Ah sorry your idea was to use different base container. The above could be tests whether skipping the additional Nginx helps with the issue, but indeed a container which doesn't ship the Nginx proxy in the first place would be cleaner 👍. |
that was seconds ago. not behind a proxy or anything else that could interfere, it's the webserver at i've done it a number of times now today, there is currently seemingly no redirect entry that correctly redirects from https to https. here are the ones i found in my backlog i've seen at least 2 more but i can't find them in the backlog, sorry. the my interim solution is to just use N.B. in my |
|
@BloodyNora |
|
@MichaIng can confirm it works as of now. thank you very much! |
|
No need to thank me, it will break itself soon 😅. But it's good to have this once verified by someone else. I'll have another look into the container tomorrow to see whether I can find any caching instance/setting. |
Hey @MichaIng I swapped out the container runtime to https://hub.docker.com/r/tiangolo/meinheld-gunicorn/ Seems to be behaving... I also noticed some lookups were failing when sites were sending proxy headers. causing a list of IPs to be sent to the redirector.... so i fixed that in nginx as well |
|
since no longer using uwsgi. need to change how the reload function something like |
|
Great, I'll test it a few times throughout the day to assure the caching issue is gone.
When doing so, maybe add some kind of authentication of access limit 😉. EDIT: Hmm, sadly it doesn't work again: While the client request scheme and IP is detected correctly (same as before): If you switched out the container, maybe then the host Nginx is the issue? I know it is not great to experiment with a live production server, but could you try to stop the hosts Nginx and expose the containers ports at 80+443 directly on the host? Of course this would mean that it handles HTTPS by itself, not sure if it can be configured to do so and then starting it with Or it is flask itself which starts response caching after hitting a certain amount of those, sadly ignoring the response headers? For debugging it could be also beneficial to add the |
|
Currently it won't work so that's some defense.
I added a reload command to the systemd unit for the daemon that sends HUP
signal and it seems to reload properly.
I should just deprecate function
…On Sun, Nov 28, 2021, 8:47 AM MichaIng ***@***.***> wrote:
Great, I'll test it a few times throughout the day to assure the caching
issue is gone.
since no longer using uwsgi. need to change how the reload function
When doing so, maybe add some kind of authentication of access limit 😉.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEVNQAA6UBEECYQYDXY7NDUOIXETANCNFSM5H64TCVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Makes sense, as long as you have direct server access, no need for such an API. |
|
Btw it now works here. Did you reload/restart the service/container/server recently? I opened a PR with a quick debugging code: #23 |
|
before I merge that.... want to test what i just rolled out now running single worker process with single thread... (it still handled 500 req/sec no problem) If the issue re-occurs we'll know to keep troubleshooting flask and python. This will eliminate all variables around multiple instances of the script running monitoring with this |
|
Yes definitely makes sense to verify that the issue is still present. Also probably it's better to copy&paste the little code change manually instead of merging this into production branch, as it is meant for debugging only, and if wanted, could be implemented a more efficient way, I think. EDIT: Ah, hehe here now I get |
|
Yeah should just make it a branch
…On Sun, Nov 28, 2021, 12:17 PM MichaIng ***@***.***> wrote:
Yes definitely makes sense to verify that the issue is still present. Also
probably it's better to copy&paste the little code change manually instead
of merging this into production branch, as it is meant for debugging only,
and if wanted, could be implemented a more efficient way, I think.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEVNQH6TNF7CUCPITYA7GLUOJP3JANCNFSM5H64TCVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
I lost my monitoring task :( anyway yeah it's back.. sooo it doesnt' seem to be a threading issue.. so time to look closer at the code. |
|
i've reloaded for now |
|
FYI, it's already gone again. since this thread is getting longer and longer now and nobody ever reads a full thread, please see here for an interim solution: #22 (comment) |
This is mainly for debugging: #22 Signed-off-by: MichaIng <micha@dietpi.com>
|
Sadly not 😢: With the header being set, did you see it failing as well? I was thinking whether adding the header may have an effect on whichever cache is still kicking in here. At least yesterday, after you deployed the PR with the header, it worked. I just didn't have a chance to test again some hours later. |
|
Blerg yeah I saw this morning
…On Sun, Dec 5, 2021, 9:14 AM MichaIng ***@***.***> wrote:
Sadly not 😢:
# curl -I https://apt.armbian.com
HTTP/2 302
server: nginx/1.18.0 (Ubuntu)
date: Sun, 05 Dec 2021 14:13:32 GMT
content-type: text/html; charset=utf-8
content-length: 258
location: http://armbian.12z.eu/apt/
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEVNQD3DDOHW56A5CL3K5DUPNXSLANCNFSM5H64TCVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
I tried to find info about Flask caching, but while there is a dedicated Flask cache module and of course response headers for browser caching can be set, this all does not apply here. Could you re-add the scheme response header, just to see whether it keeps matching the redirect scheme or not? And if there is any caching layer setting up different cached instances based on it, it may even help. But actually I'm pretty out of ideas at which layer this caching is done, and whether "caching" is even the right word to describe it 😄. Shall we try to get some external help, on Super User, Stack Overflow, Flask repository or so? |
|
Yeah I'll re-add. But earlier when the bug occurred.. the header showed
the correct scheme despite returning the wrong result.
…On Sun, Dec 5, 2021, 12:52 PM MichaIng ***@***.***> wrote:
I tried to find info about Flask caching, but while there is a dedicated
Flask cache module and of course response headers for browser caching can
be set, this all does not apply here. Could you re-add the scheme response
header, just to see whether it keeps matching the redirect scheme or not?
And if there is any caching layer setting up different caching instances
based on it, it may even help. But actually I'm pretty out of ideas at
which layer this caching is done, and whether "caching" is even the right
word to describe it 😄.
Shall we try to get some external help, on Super User
<https://superuser.com/>, Stack Overflow <https://stackoverflow.com/>, Flask
repository <https://github.com/pallets/flask/issues> or so?
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEVNQBQ5LZYLKIFIT7Z75TUPORGZANCNFSM5H64TCVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Was this before or after you moved the |
|
This was when I had you're debugging from #23 and before I added my changes
…On Sun, Dec 5, 2021, 3:16 PM MichaIng ***@***.***> wrote:
But earlier when the bug occurred.. the header showed
the correct scheme despite returning the wrong result.
Was this before or after you moved the get_scheme() call into the main
route? Reasonable step when resp.headers['X-Request-Scheme'] =
get_scheme() lead to a different scheme shown in the header header than
what get_redirect() obviously got internally. Would be interesting to see
whether the same variable derived from the same single get_redirect()
call applied once as header and then passed to get_redirect() still can
lead to different schemes in the response. That would be very strange. Only
left would then be to verify that mirror_url = mirror_class.next(region)
keeps getting mirrors without scheme or whether if for magical reasons
suddenly contains schemes, so that the client request scheme is simply not
used 😄.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEVNQBJTG3E3OXDFJXDRVDUPPCCTANCNFSM5H64TCVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
Makes sense. Let's see what effect both changes have. |
|
https://github.com/armbian/dl-router/blob/master/app/main.py#L100 i feel like we're hitting an edge case here. im wondering if get_redirect isn't returning a scheme at all, and flask or the server is nice enough to add http to make it a valid redirect |
|
@MichaIng okay running on this now https://github.com/armbian/dl-router/tree/pass_scheme |
|
A mismatch indeed/still: So we have two scheme = get_scheme()
resp = redirect(get_redirect(path, get_ip(), scheme), 302)
resp.headers['X-Request-Scheme'] = scheme
return respI do not believe that |
|
Yeah I was just grasping at straws. Looks like it made it 8 hours before
failing lol
…On Mon, Dec 6, 2021, 7:08 AM MichaIng ***@***.***> wrote:
A mismatch indeed:
# curl -I https://apt.armbian.com
HTTP/2 302
server: nginx/1.18.0 (Ubuntu)
date: Mon, 06 Dec 2021 11:58:40 GMT
content-type: text/html; charset=utf-8
content-length: 264
location: http://mirror.armbian.de/apt/
x-request-scheme: https
So we have two get_scheme right after another but either giving different
results or more likely get_redirect doesn't really respect it. Last idea
to show this more explicit would be:
scheme = get_scheme()
resp = redirect(get_redirect(path, get_ip(), scheme), 302)
resp.headers['X-Request-Scheme'] = scheme
return resp
I do not believe that mirror_url.find('://', 3, 8) or mirror_url.count('://',
2, 8) were the issue or do make any difference, since both works for some
hours reliably and the logic is simple and clear. But I have no other
explanation either 🤔.
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#22 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABEVNQF5BZU7BT2QK7AKK3DUPSRR3ANCNFSM5H64TCVQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
|
gonna be busy for rest of week.. i've made a bandaid script that polls every 30 minutes, and if it returns the wrong result it reloads.... and also sends me a notification 😬 |
|
After scratching surface with unit tests and switching to urlsplit per advise of a friend, I don't think get_redirect() is directly the culprit |
My apt source list on Armbian uses the HTTPS version of apt.armbian.com.
However, I am sometimes redirected to a mirror using HTTP, which APT does not allow, and then I get the error:
I saw this PR which should correct the problem, however it doesn't seem to work: #14
To check I simply make requests with Curl on https://apt.armbian.com and get redirects either in https or in http :
Is there something that I misunderstood, or is there a problem?
Thank you for your help !
The text was updated successfully, but these errors were encountered: