Error 404 on /serviceworker.js when serving static resources from reverse proxy

[Bronek]

• Gitea version (or commit ref): 1.12.0
• Git version:
• Operating system: Ubuntu Bionic
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

As a result of #11577 , the reverse proxy configuration recommended in https://docs.gitea.io/en-us/reverse-proxies/#using-nginx-as-a-reverse-proxy-and-serve-static-resources-directly is no longer correct. This is because Gitea is not using STATIC_URL_PREFIX for serviceworker.js file and the request is instead issued for /serviceworker.js. With the recommended configuration that request will be in turn proxied over to Gitea and then fail, resulting in 404 error.

The fix which worked for me was to add this stanza to my Nginx configuration:

    location /serviceworker.js {
        alias /path/to/gitea/public/serviceworker.js;
    }

I assume this is either:

• documentation issue (i.e. add stanza like above to the above documentation page), or
• STATIC_URL_PREFIX should have been used for serviceworker.js file, but isn't.

BTW thank you for this awesome project!
...

Screenshots

[silverwind]

A Serviceworker must per spec be from first-party origin to work, that's why we have to load it from the main origin instead of STATIC_URL_PREFIX, even thought its a static asset. See here:

https://w3c.github.io/ServiceWorker/#origin-restriction
https://w3c.github.io/ServiceWorker/#path-restriction

Essentially:

service workers cannot be hosted on CDNs

I guess we can only update the docs.

[Bronek]

I guess we can only update the docs.

Great, thank you! That's what I initially suspected :)

[silverwind]

Thought I don't quite understand your issue. If you have STATIC_URL_PREFIX set with an accomanying rule in nginx, it will be used for all static assets except /serviceworker.js which should still go to ROOT_URL so no special configuration like above should be needed.

[silverwind]

I did not look at the code yet but I think it might be happening that if STATIC_URL_PREFIX is set, the backend might refuse to serve assets from ROOT_URL which may be an issue we can probably correct. It likely did work before because /serviceworker.js was a static route but now is handled just like other assets.

[Bronek]

Further info: request for /serviceworker.js only fails for authenticated user; it succeeds if main page is opened by un-authenticated user.

[Bronek]

Further info: request for /serviceworker.js only fails for authenticated user; it succeeds if main page is opened by un-authenticated user.

Correction; not exactly "succeeds", gitea is returning 302 status (rather than 404 for authenticated users). I am yet to find where that 302 redirection leads to.

EDIT: from Chrome developer tools I extracted this (for un-authenticated user):

General:
Request URL: https://mysite/serviceworker.js
Referrer Policy: no-referrer

Response:
content-length: 34
content-type: text/html; charset=utf-8
date: Sat, 20 Jun 2020 11:09:30 GMT
location: /user/login
server: nginx
set-cookie: redirect_to=%2Fserviceworker.js; Path=/
status: 302
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

NB, this request actually gets stalled.

Same from router log:

2020/06/20 11:09:29 Started GET / for 81.187.242.66
2020/06/20 11:09:29 Completed GET / 200 OK in 2.192705ms
2020/06/20 11:09:30 Started GET /serviceworker.js for 81.187.242.66
2020/06/20 11:09:30 Completed GET /serviceworker.js 302 Found in 410.177µs
2020/06/20 11:09:30 Started GET /manifest.json for 81.187.242.66
2020/06/20 11:09:30 Completed GET /manifest.json 200 OK in 490.408µs

For authenticated user the following happens:

General:
Request URL: https://mysite/serviceworker.js
Request Method: GET
Status Code: 404 
Remote Address: 159.89.250.61:443
Referrer Policy: no-referrer

Response:
ncoding: gzip
content-type: text/html; charset=UTF-8
date: Sat, 20 Jun 2020 11:03:24 GMT
server: nginx
set-cookie: _csrf=km6bifuN8q_bbOvbi45XZhneR3g6MTU5MjY1MTAwNDA5MzEzMjMyNA; Path=/; Expires=Sun, 21 Jun 2020 11:03:24 GMT; HttpOnly
status: 404
x-frame-options: SAMEORIGIN

Same from router log:

2020/06/20 11:03:23 Started POST /user/login for 81.187.242.66
2020/06/20 11:03:24 Completed POST /user/login 302 Found in 80.625703ms
2020/06/20 11:03:24 Started GET /serviceworker.js for 81.187.242.66
2020/06/20 11:03:24 Completed GET /serviceworker.js 404 Not Found in 9.331578ms
2020/06/20 11:03:24 Started GET /user/avatar/bronek/-1 for 81.187.242.66
2020/06/20 11:03:24 Completed GET /user/avatar/bronek/-1 302 Found in 3.510722ms
2020/06/20 11:03:24 Started GET /user/events for 81.187.242.66
2020/06/20 11:03:24 Started GET /serviceworker.js for 81.187.242.66
2020/06/20 11:03:24 Started GET /user/avatar/bronek/-1 for 81.187.242.66
2020/06/20 11:03:24 Completed GET /serviceworker.js 404 Not Found in 5.735717ms
2020/06/20 11:03:24 Completed GET /user/avatar/bronek/-1 302 Found in 7.948115ms
2020/06/20 11:03:24 Started GET /manifest.json for 81.187.242.66
2020/06/20 11:03:24 Completed GET /manifest.json 200 OK in 2.198662ms

[silverwind]

I can't quite replicate, I see 200s on ROOT_URL/serviceworker.js both signed in and signed out with such a config:

[server]
PROTOCOL = http
DOMAIN = localhost
HTTP_ADDR = 127.0.0.1
HTTP_PORT = 3500
ROOT_URL = http://localhost:3500/
STATIC_URL_PREFIX = http://127.0.0.1:3500/
LOCAL_ROOT_URL = http://127.0.0.1:3500/

[service]
REQUIRE_SIGNIN_VIEW = true

Any other changed settings in your config that might be relevant?

[silverwind]

The 302 is a separate issue which is fixed in #11872 but I see I need to pull out that fix separately there.

Still can't explain your 404, what exact gitea version is it and how did you build it?

[Bronek]

From app.ini:

[server]
HTTP_ADDR          = 127.0.0.1
HTTP_PORT          = 3000
SSH_DOMAIN         = mysite
DOMAIN             = mysite
STATIC_URL_PREFIX  = /_/static
ROOT_URL           = https://mysite/

[service]
REQUIRE_SIGNIN_VIEW               = true

From nginx:

server {
    listen 80;
    listen [::]:80;

    server_name mysite;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl on;
    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_certificate /etc/letsencrypt/live/mysite/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite/privkey.pem;

    server_name mysite;
    root /var/www/static/mysite/content;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:3000;
    }

    location /_/static {
        alias /var/www/static/mysite/public;
    }

    location ~ /.well-known {
        allow all;
        root /var/www/static/mysite;
    }

    client_max_body_size 50m;
}

NB I redacted actual site with mysite because it is public facing.

[Bronek]

It is gitea 1.12.0 , built with https://github.com/Bronek/build-gitea

[silverwind]

Try changing to just make build here as per this. Running generate too soon causes frontend build issues. It was recommended like that once but we had to change it.

[silverwind]

Opened #11992 to fix the 302 issue.

[Bronek]

Try changing to just make build here. Running generate too soon causes frontend build issues. It was recommended like that once but we had to change it.

That fixed it - thank you!

[Bronek]

I am not sure if that needs a fix, or is just an artifact of local cache behaviour but I've seen it on 3 different browsers so reporting here:

After succesfull login, the content of /serviceworker.js is shown as-if it was the home page (i.e. it is not executed by the browser). This only happens on first-time login. If I logout and login again, the main page looks normal.

Access log from gitea:

81.187.242.66 - - [20/Jun/2020:13:42:42 +0000] "GET / HTTP/1.0" 200 10423 "\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:42:44 +0000] "GET /serviceworker.js HTTP/1.0" 200 28527 "https://mysite/serviceworker.js\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:43:07 +0000] "GET /user/login?redirect_to= HTTP/1.0" 200 9503 "\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:43:09 +0000] "GET /serviceworker.js HTTP/1.0" 304 0 "https://mysite/serviceworker.js\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:43:09 +0000] "POST /user/login HTTP/1.0" 302 0 "\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:43:09 +0000] "GET /serviceworker.js HTTP/1.0" 304 0 "\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - bronek [20/Jun/2020:13:43:10 +0000] "GET /favicon.ico HTTP/1.0" 404 19 "https://mysite/serviceworker.js\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:43:11 +0000] "GET /serviceworker.js HTTP/1.0" 304 0 "https://mysite/serviceworker.js\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"
81.187.242.66 - - [20/Jun/2020:13:43:41 +0000] "GET /serviceworker.js HTTP/1.0" 304 0 "https://mysite/serviceworker.js\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36 OPR/68.0.3618.173"

Chrome developer tools reporting:

General:
Request URL: https://mysite/serviceworker.js
Request Method: GET
Status Code: 200  (from disk cache)
Remote Address: 159.89.250.61:443
Referrer Policy: no-referrer

Response:
accept-ranges: bytes
content-length: 28527
content-type: application/javascript
date: Sat, 20 Jun 2020 13:43:41 GMT
etag: 5r2vc2VydmljZXdvcmtlci5qc1NhdCwgMjAgSnVuIDIwMjAgMTE6MzU6MzcgR01U
expires: Sat, 20 Jun 2020 19:43:41 GMT
last-modified: Sat, 20 Jun 2020 11:35:37 GMT
server: nginx
status: 304
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

EDIT: this appears to have been fixed after I cherry-picked #11992 / #11994