RHOAIENG-34310: support odh gateway auth with adjusting code-server and rstudio nginx (opendatahub-io#2585)

harshad16 · web-flow · commit ced6344169f5 · 2025-10-17T11:31:04.000+02:00
* support odh gateway auth with adjusting code-server and rstudio nginx

Signed-off-by: Harshad Reddy Nalla &lt;hnalla@redhat.com&gt;

* removed redudant fallback location

Signed-off-by: Harshad Reddy Nalla &lt;hnalla@redhat.com&gt;

---------

Signed-off-by: Harshad Reddy Nalla &lt;hnalla@redhat.com&gt;
diff --git a/codeserver/ubi9-python-3.12/nginx/serverconf/proxy.conf.template_nbprefix b/codeserver/ubi9-python-3.12/nginx/serverconf/proxy.conf.template_nbprefix
@@ -2,12 +2,12 @@
 # api calls from probes get to code-server /healthz endpoint
 ###############
 location = ${NB_PREFIX}/api {
-    return 302  /codeserver/healthz/;
+    return 302  ${NB_PREFIX}/codeserver/healthz/;
     access_log  off;
 }
 
 location ${NB_PREFIX}/api/ {
-    return 302  /codeserver/healthz/;
+    return 302  ${NB_PREFIX}/codeserver/healthz/;
     access_log  off;
 }
 ###############
@@ -16,12 +16,12 @@ location ${NB_PREFIX}/api/ {
 # api calls from culler get to CGI processing
 ###############
 location = ${NB_PREFIX}/api/kernels {
-    return 302 $custom_scheme://$http_host/api/kernels/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/api/kernels/;
     access_log  off;
 }
 
 location ${NB_PREFIX}/api/kernels/ {
-    return 302 $custom_scheme://$http_host/api/kernels/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/api/kernels/;
     access_log  off;
 }
 
@@ -39,32 +39,34 @@ location /api/kernels/ {
 ###############
 # root and prefix get to code-server endpoint
 ###############
-location = ${NB_PREFIX} {
-    return 302 $custom_scheme://$http_host/codeserver/;
-}
-
-location ${NB_PREFIX}/ {
-    return 302 $custom_scheme://$http_host/codeserver/;
+location ${NB_PREFIX} {
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/codeserver/;
 }
 
 location = /codeserver {
-    return 302 $custom_scheme://$http_host/codeserver/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/codeserver/;
 }
 
 location = / {
-    return 302 $custom_scheme://$http_host/codeserver/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/codeserver/;
 }
 
-location /codeserver/ {
-    rewrite ^/codeserver/(.*)$ /$1 break;
-    # Standard RStudio/NGINX configuration
+location ${NB_PREFIX}/codeserver/ {
+    rewrite ^${NB_PREFIX}/codeserver/(.*)$ /$1 break;
+    # Standard code-server/NGINX configuration
     proxy_pass http://workbench_server/;
     proxy_http_version 1.1;
-
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $connection_upgrade;
     proxy_read_timeout 20d;
+
+    # Needed to make it work properly
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $custom_scheme;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-NginX-Proxy true;
+    proxy_redirect off;
 
     access_log /var/log/nginx/codeserver.access.log json if=$loggable;
 }
diff --git a/codeserver/ubi9-python-3.12/run-nginx.sh b/codeserver/ubi9-python-3.12/run-nginx.sh
@@ -18,7 +18,11 @@ fi
 if [ -z "$NB_PREFIX" ]; then
     cp /opt/app-root/etc/nginx.default.d/proxy.conf.template /opt/app-root/etc/nginx.default.d/proxy.conf
 else
-    export BASE_URL=$(echo $NB_PREFIX | awk -F/ '{ print $4"-"$3 }')$(echo $NOTEBOOK_ARGS | grep -Po 'hub_host":"\K.*?(?=")' | awk -F/ '{ print $3 }' | awk -F. '{for (i=2; i<=NF; i++) printf ".%s", $i}')
+    export BASE_URL=$(echo "$NB_PREFIX" | awk -F/ '{ print $4"-"$3 }')$(echo "$NOTEBOOK_ARGS" | grep -Po 'hub_host":"\K.*?(?=")' | awk -F/ '{ print $3 }' | awk -F. '{for (i=2; i<=NF; i++) printf ".%s", $i}')
+    # If BASE_URL is empty or invalid (missing hub_host), use wildcard server_name
+    if [ -z "$BASE_URL" ] || [ "$BASE_URL" = "$(echo "$NB_PREFIX" | awk -F/ '{ print $4"-"$3 }')" ]; then
+        export BASE_URL="_"
+    fi
     envsubst '${NB_PREFIX},${BASE_URL}' < /opt/app-root/etc/nginx.default.d/proxy.conf.template_nbprefix > /opt/app-root/etc/nginx.default.d/proxy.conf
     envsubst '${BASE_URL}' < /etc/nginx/nginx.conf | tee /etc/nginx/nginx.conf
 fi
diff --git a/rstudio/c9s-python-3.12/nginx/serverconf/proxy.conf.template_nbprefix b/rstudio/c9s-python-3.12/nginx/serverconf/proxy.conf.template_nbprefix
@@ -1,8 +1,8 @@
 ###############
 # Fix rstudio-server auth-sign-in redirect bug
 ###############
-rewrite ^/auth-sign-in(.*) "$custom_scheme://$http_host/rstudio/auth-sign-in$1?appUri=%2Frstudio";
-rewrite ^/auth-sign-out(.*) "$custom_scheme://$http_host/rstudio/auth-sign-out$1?appUri=%2Frstudio";
+rewrite ^/auth-sign-in(.*) "$custom_scheme://$http_host${NB_PREFIX}/rstudio/auth-sign-in$1?appUri=%2Frstudio";
+rewrite ^/auth-sign-out(.*) "$custom_scheme://$http_host${NB_PREFIX}/rstudio/auth-sign-out$1?appUri=%2Frstudio";
 ###############
 
 ###############
@@ -66,24 +66,20 @@ location /api/kernels/ {
 ###############
 # root and prefix get to RStudio endpoint
 ###############
-location = ${NB_PREFIX} {
-    return 302 $custom_scheme://$http_host/rstudio/;
-}
-
-location ${NB_PREFIX}/ {
-    return 302 $custom_scheme://$http_host/rstudio/;
+location ${NB_PREFIX} {
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/rstudio/;
 }
 
 location = /rstudio {
-    return 302 $custom_scheme://$http_host/rstudio/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/rstudio/;
 }
 
 location = / {
-    return 302 $custom_scheme://$http_host/rstudio/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/rstudio/;
 }
 
-location /rstudio/ {
-    rewrite ^/rstudio/(.*)$ /$1 break;
+location ${NB_PREFIX}/rstudio/ {
+    rewrite ^${NB_PREFIX}/rstudio/(.*)$ /$1 break;
     # Standard RStudio/NGINX configuration
     proxy_pass http://workbench_server/;
     proxy_http_version 1.1;
@@ -93,7 +89,7 @@ location /rstudio/ {
 
     # Needed to make it work properly
     proxy_set_header X-RStudio-Request $custom_scheme://$http_host$request_uri;
-    proxy_set_header X-RStudio-Root-Path /rstudio;
+    proxy_set_header X-RStudio-Root-Path ${NB_PREFIX}/rstudio;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-Proto $custom_scheme;
 
diff --git a/rstudio/c9s-python-3.12/run-nginx.sh b/rstudio/c9s-python-3.12/run-nginx.sh
@@ -18,7 +18,11 @@ fi
 if [ -z "$NB_PREFIX" ]; then
     cp /opt/app-root/etc/nginx.default.d/proxy.conf.template /opt/app-root/etc/nginx.default.d/proxy.conf
 else
-    export BASE_URL=$(echo $NB_PREFIX | awk -F/ '{ print $4"-"$3 }')$(echo $NOTEBOOK_ARGS | grep -Po 'hub_host":"\K.*?(?=")' | awk -F/ '{ print $3 }' | awk -F. '{for (i=2; i<=NF; i++) printf ".%s", $i}')
+    export BASE_URL=$(echo "$NB_PREFIX" | awk -F/ '{ print $4"-"$3 }')$(echo "$NOTEBOOK_ARGS" | grep -Po 'hub_host":"\K.*?(?=")' | awk -F/ '{ print $3 }' | awk -F. '{for (i=2; i<=NF; i++) printf ".%s", $i}')
+    # If BASE_URL is empty or invalid (missing hub_host), use wildcard server_name
+    if [ -z "$BASE_URL" ] || [ "$BASE_URL" = "$(echo "$NB_PREFIX" | awk -F/ '{ print $4"-"$3 }')" ]; then
+        export BASE_URL="_"
+    fi
     envsubst '${NB_PREFIX},${BASE_URL}' < /opt/app-root/etc/nginx.default.d/proxy.conf.template_nbprefix > /opt/app-root/etc/nginx.default.d/proxy.conf
     envsubst '${BASE_URL}' < /etc/nginx/nginx.conf | tee /etc/nginx/nginx.conf
 fi
diff --git a/rstudio/rhel9-python-3.12/nginx/serverconf/proxy.conf.template_nbprefix b/rstudio/rhel9-python-3.12/nginx/serverconf/proxy.conf.template_nbprefix
@@ -1,8 +1,8 @@
 ###############
 # Fix rstudio-server auth-sign-in redirect bug
 ###############
-rewrite ^/auth-sign-in(.*) "$custom_scheme://$http_host/rstudio/auth-sign-in$1?appUri=%2Frstudio";
-rewrite ^/auth-sign-out(.*) "$custom_scheme://$http_host/rstudio/auth-sign-out$1?appUri=%2Frstudio";
+rewrite ^/auth-sign-in(.*) "$custom_scheme://$http_host${NB_PREFIX}/rstudio/auth-sign-in$1?appUri=%2Frstudio";
+rewrite ^/auth-sign-out(.*) "$custom_scheme://$http_host${NB_PREFIX}/rstudio/auth-sign-out$1?appUri=%2Frstudio";
 ###############
 
 ###############
@@ -66,24 +66,20 @@ location /api/kernels/ {
 ###############
 # root and prefix get to RStudio endpoint
 ###############
-location = ${NB_PREFIX} {
-    return 302 $custom_scheme://$http_host/rstudio/;
-}
-
-location ${NB_PREFIX}/ {
-    return 302 $custom_scheme://$http_host/rstudio/;
+location ${NB_PREFIX} {
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/rstudio/;
 }
 
 location = /rstudio {
-    return 302 $custom_scheme://$http_host/rstudio/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/rstudio/;
 }
 
 location = / {
-    return 302 $custom_scheme://$http_host/rstudio/;
+    return 302 $custom_scheme://$http_host${NB_PREFIX}/rstudio/;
 }
 
-location /rstudio/ {
-    rewrite ^/rstudio/(.*)$ /$1 break;
+location ${NB_PREFIX}/rstudio/ {
+    rewrite ^${NB_PREFIX}/rstudio/(.*)$ /$1 break;
     # Standard RStudio/NGINX configuration
     proxy_pass http://workbench_server/;
     proxy_http_version 1.1;
@@ -93,7 +89,7 @@ location /rstudio/ {
 
     # Needed to make it work properly
     proxy_set_header X-RStudio-Request $custom_scheme://$http_host$request_uri;
-    proxy_set_header X-RStudio-Root-Path /rstudio;
+    proxy_set_header X-RStudio-Root-Path ${NB_PREFIX}/rstudio;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-Proto $custom_scheme;
 
diff --git a/rstudio/rhel9-python-3.12/run-nginx.sh b/rstudio/rhel9-python-3.12/run-nginx.sh
@@ -18,7 +18,11 @@ fi
 if [ -z "$NB_PREFIX" ]; then
     cp /opt/app-root/etc/nginx.default.d/proxy.conf.template /opt/app-root/etc/nginx.default.d/proxy.conf
 else
-    export BASE_URL=$(echo $NB_PREFIX | awk -F/ '{ print $4"-"$3 }')$(echo $NOTEBOOK_ARGS | grep -Po 'hub_host":"\K.*?(?=")' | awk -F/ '{ print $3 }' | awk -F. '{for (i=2; i<=NF; i++) printf ".%s", $i}')
+    export BASE_URL=$(echo "$NB_PREFIX" | awk -F/ '{ print $4"-"$3 }')$(echo "$NOTEBOOK_ARGS" | grep -Po 'hub_host":"\K.*?(?=")' | awk -F/ '{ print $3 }' | awk -F. '{for (i=2; i<=NF; i++) printf ".%s", $i}')
+    # If BASE_URL is empty or invalid (missing hub_host), use wildcard server_name
+    if [ -z "$BASE_URL" ] || [ "$BASE_URL" = "$(echo "$NB_PREFIX" | awk -F/ '{ print $4"-"$3 }')" ]; then
+        export BASE_URL="_"
+    fi
     envsubst '${NB_PREFIX},${BASE_URL}' < /opt/app-root/etc/nginx.default.d/proxy.conf.template_nbprefix > /opt/app-root/etc/nginx.default.d/proxy.conf
     envsubst '${BASE_URL}' < /etc/nginx/nginx.conf | tee /etc/nginx/nginx.conf
 fi
