-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added initial support for tusd #341
Conversation
Ah! I have been using |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, very happy you've got it (almost) working, save for me being unable to write correct docs :)
- "1080" | ||
- "-upload-dir={{ .Values.persistence.mountPath }}/tmp" | ||
- '-hooks-http=http://{{ include "galaxy.fullname" . }}-nginx:{{ .Values.service.port }}{{ template "galaxy.add_trailing_slash" .Values.ingress.path }}api/upload/hooks' | ||
- "-hooks-http-forward-headers=X-Api-Key,sessioncookie" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- "-hooks-http-forward-headers=X-Api-Key,sessioncookie" | |
- "-hooks-http-forward-headers=X-Api-Key,Cookie" |
proxy_set_header X-Forwarded-Proto $scheme; | ||
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
client_max_body_size {{ .Values.nginx.conf.client_max_body_size }}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be 0, a well-behaved client shouldn't send a body to api/upload/resumable_upload
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Although there's probably no harm in it, I took this directly from https://github.com/tus/tusd/blob/master/examples/nginx.conf#L65
@mvdbeek The
The content of the upload dir does not have resumable_upload prefixed in front.
|
Another doc problem ... sorry! |
proxy_set_header Upgrade $http_upgrade; | ||
proxy_set_header Connection "upgrade"; | ||
client_max_body_size {{ .Values.nginx.conf.client_max_body_size }}; | ||
proxy_pass http://{{ template "galaxy.fullname" . }}-tusd:1080/files/; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
proxy_pass http://{{ template "galaxy.fullname" . }}-tusd:1080/files/; | |
proxy_pass http://{{ template "galaxy.fullname" . }}-tusd:1080/files; |
I also ran into the same thing and then didn't update the docs ...
a2d8597
to
248fc0d
Compare
@mvdbeek Works great now, thanks! One thing I noticed was that uploads that had failed prior to these changes can still not be uploaded. But files that are successful can be. On the k8s side, we are still double proxied, so I may take a crack at exposing tusd directly over k8s ingress, instead of making it double proxied through the internal galaxy nginx. Also, this only works for authenticated users right? Anonymous users still go through the previous mechanism? |
Did you click on reset in the upload box ? It did work for me locally, but you do have to reset the upload box
No, it also works for anonymous (i.e not logged in) users via the session cookie. You just can't send upload requests when you haven't gotten a session cookie (or an API key) first. If you want to open uploads up completely without any checks you could skip the |
@mvdbeek |
Hmm, in both cases you have a sessioncookie, so that's all the formal requirements. But I see we do some additional logic that might disable chunked uploads. galaxyproject/galaxy@5f926d9 might fix this (I haven't tested it yet) |
@mvdbeek Some additional data about the failure of previously failed files.
|
Another question, if anonymous access is disabled, but a malicious user nevertheless directly accesses the tusd resumable_upload endpoint, does the http hook get triggered at that point and auth validated? Is the hook endpoint |
Yes, it's tusd that controls the hook. So even if you say break out from an IT and manage to get access to the internal tusd url the hook will run (and fail if you don't provide a valid API key / session key).
Not for the current functionality. The only purpose of the endpoint is checking that either a valid api key or session id is in use. If the hook endpoint returns 403, as it would for an unauthorized user, tusd will not accept the requests. We could even use something like the existing |
Yeah, I also noticed this just now. It seems to be quite selective about the file in question, which is weird. That is probably a client or nginx problem. |
Yep, a missing slash in the client 😆 ... and this was only a problem for the HEAD requests that check if an upload had already been created. |
This builds on @mvdbeek's fantastic work on integrating tus with Galaxy: galaxyproject/galaxy#12656, by addingthe tusd daemon as an out-of-the-box component in the helm chart.
Things are at a point where tusd is receiving the requests, but something is slightly amiss with auth handling:
session cookie not getting forwarded perhaps? Ping @mvdbeek