Apache proxy settings - Django with Bokeh Server

I’m trying to deploy Django application with Bokeh visualisations on AWS Beanstalk.
Application works fine locally, but I’m unable to make it working on AWS. I’m using Beanstalk with single instance on Amazon Linux/2.8.3 and domain set with SSL redirection.

I think the issue is with Virtual Host settings. Below you may see the settings I use for SSL configuration.

<VirtualHost *:443>

<Directory /opt/python/current/app/build/static>

Order deny,allow

Allow from all

</Directory>

SSLEngine on

SSLCertificateFile "path to Certificate File"

SSLCertificateKeyFile "path to Certificate Key File"

SSLCipherSuite "Clipher string"

SSLProtocol All -SSLv2 -SSLv3

SSLHonorCipherOrder On

SSLSessionTickets Off

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

Header always set X-Frame-Options DENY

Header always set X-Content-Type-Options nosniff

ProxyPass / http://localhost:80/ retry=0

ProxyPassReverse / http://localhost:80/

ProxyPreserveHost on

RequestHeader set X-Forwarded-Proto "https" early

</VirtualHost>

I’ve tried to add to this script settings for Bokeh server proxy:

<VirtualHost *:80>

ProxyPass /dashboard http://127.0.0.1:5100/dashboard/

ProxyPassReverse  /dashboard http://127.0.0.1:5100/dashboard/

</VirtualHost>

When I run bokeh server on my EC2 instance with command

bokeh serve dashboard.py --port 5100 --use-xheaders --allow-websocket-origin="*"

it doesn’t work and I receive connection error.

Any suggestions on this would be much appreciated.

Thanks
Radek

Hi,

Offhand, you don't appear to be proxying the websocket endpoints, which I believe is necessary. This is not an area of expertise for me, unfortunately, but everything that I know is contained in the examples in the docs:

  Bokeh server — Bokeh 3.3.2 Documentation

Thanks,

Bryan

···

On May 19, 2019, at 10:28 AM, Radek S <[email protected]> wrote:

I'm trying to deploy Django application with Bokeh visualisations on AWS Beanstalk.
Application works fine locally, but I'm unable to make it working on AWS. I'm using Beanstalk with single instance on Amazon Linux/2.8.3 and domain set with SSL redirection.
I think the issue is with Virtual Host settings. Below you may see the settings I use for SSL configuration.
         <VirtualHost *:443>
            <Directory /opt/python/current/app/build/static>
               Order deny,allow
               Allow from all
            </Directory>
                
            SSLEngine on
            SSLCertificateFile "path to Certificate File"
            SSLCertificateKeyFile "path to Certificate Key File"
            SSLCipherSuite "Clipher string"
            SSLProtocol All -SSLv2 -SSLv3
            SSLHonorCipherOrder On
            SSLSessionTickets Off

            Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
            Header always set X-Frame-Options DENY
            Header always set X-Content-Type-Options nosniff

            ProxyPass / http://localhost:80/ retry=0
            ProxyPassReverse / http://localhost:80/
            ProxyPreserveHost on
            RequestHeader set X-Forwarded-Proto "https" early
         </VirtualHost>
I've tried to add to this script settings for Bokeh server proxy:
  • ProxyPass /dashboard http://127.0.0.1:5100/dashboard/
  • ProxyPassReverse /dashboard http://127.0.0.1:5100/dashboard/
I've also tried to create a separate virtual host for port 80
         <VirtualHost *:80>
            ProxyPass /dashboard http://127.0.0.1:5100/dashboard/
            ProxyPassReverse /dashboard http://127.0.0.1:5100/dashboard/
         </VirtualHost>

When I run bokeh server on my EC2 instance with command "bokeh serve dashboard.py --port 5100 --use-xheaders --allow-websocket-origin="*"" it doesn't work and I receive connection error.

Any suggestions on this would be much appreciated.

Thanks
Radek

--
You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/6c4b20da-38d7-475f-85a1-08f787d409ae%40continuum.io\.
For more options, visit https://groups.google.com/a/continuum.io/d/optout\.

Hi Bryan, thanks for your response.

I’ve tried with this configuration as well. Unfortunately any page of my application doesn’t work than, not only the one with bokeh visualisation.

Unfortunately I do not have any knowledge of Apache configuration and I have no idea what else might help.

Radek

W dniu niedziela, 19 maja 2019 19:40:38 UTC+2 użytkownik Bryan Van de Ven napisał:

···

Hi,

Offhand, you don’t appear to be proxying the websocket endpoints, which I believe is necessary. This is not an area of expertise for me, unfortunately, but everything that I know is contained in the examples in the docs:

    [https://bokeh.pydata.org/en/latest/docs/user_guide/server.html#basic-reverse-proxy-setup](https://bokeh.pydata.org/en/latest/docs/user_guide/server.html#basic-reverse-proxy-setup)

Thanks,

Bryan

On May 19, 2019, at 10:28 AM, Radek S [email protected] wrote:

I’m trying to deploy Django application with Bokeh visualisations on AWS Beanstalk.

Application works fine locally, but I’m unable to make it working on AWS. I’m using Beanstalk with single instance on Amazon Linux/2.8.3 and domain set with SSL redirection.

I think the issue is with Virtual Host settings. Below you may see the settings I use for SSL configuration.

     <VirtualHost *:443>
        <Directory /opt/python/current/app/build/static>
           Order deny,allow
           Allow from all
        </Directory>
        SSLEngine on
        SSLCertificateFile "path to Certificate File"
        SSLCertificateKeyFile "path to Certificate Key File"
        SSLCipherSuite "Clipher string"
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
        SSLSessionTickets Off
        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff
        ProxyPass / [http://localhost:80/](http://localhost:80/) retry=0
        ProxyPassReverse / [http://localhost:80/](http://localhost:80/)
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early
     </VirtualHost>

I’ve tried to add to this script settings for Bokeh server proxy:

    • ProxyPass /dashboard [http://127.0.0.1:5100/dashboard/](http://127.0.0.1:5100/dashboard/)
    • ProxyPassReverse /dashboard [http://127.0.0.1:5100/dashboard/](http://127.0.0.1:5100/dashboard/)

I’ve also tried to create a separate virtual host for port 80

     <VirtualHost *:80>
        ProxyPass /dashboard [http://127.0.0.1:5100/dashboard/](http://127.0.0.1:5100/dashboard/)
        ProxyPassReverse  /dashboard [http://127.0.0.1:5100/dashboard/](http://127.0.0.1:5100/dashboard/)
     </VirtualHost>

When I run bokeh server on my EC2 instance with command “bokeh serve dashboard.py --port 5100 --use-xheaders --allow-websocket-origin=”*“” it doesn’t work and I receive connection error.

Any suggestions on this would be much appreciated.

Thanks
Radek


You received this message because you are subscribed to the Google Groups “Bokeh Discussion - Public” group.

To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].

To post to this group, send email to [email protected].

To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/6c4b20da-38d7-475f-85a1-08f787d409ae%40continuum.io.

For more options, visit https://groups.google.com/a/continuum.io/d/optout.

Hi,

You might have more success finding the most relevant expertise in an Apache support forum. I know even less about Apache than I do Nginx, so I am sorry I cannot be more direct help. Basic embedding Bokeh through a proxy means configuring it to forward the base url, the ws url, and the static url. If you figure out an Apache config for SSL please report back so we can incorporate that into our docs.

Thanks,

Bryan

···

On May 19, 2019, at 11:25 AM, Radek S <[email protected]> wrote:

Hi Bryan, thanks for your response.

I've tried with this configuration as well. Unfortunately any page of my application doesn't work than, not only the one with bokeh visualisation.
Unfortunately I do not have any knowledge of Apache configuration and I have no idea what else might help.

Radek

W dniu niedziela, 19 maja 2019 19:40:38 UTC+2 użytkownik Bryan Van de Ven napisał:
Hi,

Offhand, you don't appear to be proxying the websocket endpoints, which I believe is necessary. This is not an area of expertise for me, unfortunately, but everything that I know is contained in the examples in the docs:

        Bokeh server — Bokeh 3.3.2 Documentation

Thanks,

Bryan

> On May 19, 2019, at 10:28 AM, Radek S <[email protected]> wrote:
>
> I'm trying to deploy Django application with Bokeh visualisations on AWS Beanstalk.
> Application works fine locally, but I'm unable to make it working on AWS. I'm using Beanstalk with single instance on Amazon Linux/2.8.3 and domain set with SSL redirection.
> I think the issue is with Virtual Host settings. Below you may see the settings I use for SSL configuration.
> <VirtualHost *:443>
> <Directory /opt/python/current/app/build/static>
> Order deny,allow
> Allow from all
> </Directory>
>
> SSLEngine on
> SSLCertificateFile "path to Certificate File"
> SSLCertificateKeyFile "path to Certificate Key File"
> SSLCipherSuite "Clipher string"
> SSLProtocol All -SSLv2 -SSLv3
> SSLHonorCipherOrder On
> SSLSessionTickets Off
>
> Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
> Header always set X-Frame-Options DENY
> Header always set X-Content-Type-Options nosniff
>
> ProxyPass / http://localhost:80/ retry=0
> ProxyPassReverse / http://localhost:80/
> ProxyPreserveHost on
> RequestHeader set X-Forwarded-Proto "https" early
> </VirtualHost>
> I've tried to add to this script settings for Bokeh server proxy:
> • ProxyPass /dashboard http://127.0.0.1:5100/dashboard/
> • ProxyPassReverse /dashboard http://127.0.0.1:5100/dashboard/
> I've also tried to create a separate virtual host for port 80
> <VirtualHost *:80>
> ProxyPass /dashboard http://127.0.0.1:5100/dashboard/
> ProxyPassReverse /dashboard http://127.0.0.1:5100/dashboard/
> </VirtualHost>
>
> When I run bokeh server on my EC2 instance with command "bokeh serve dashboard.py --port 5100 --use-xheaders --allow-websocket-origin="*"" it doesn't work and I receive connection error.
>
> Any suggestions on this would be much appreciated.
>
> Thanks
> Radek
>
> --
> You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bo...@continuum.io.
> To post to this group, send email to bo...@continuum.io.
> To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/6c4b20da-38d7-475f-85a1-08f787d409ae%40continuum.io\.
> For more options, visit https://groups.google.com/a/continuum.io/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/19aea52c-2277-4521-9d48-29ffbda888cb%40continuum.io\.
For more options, visit https://groups.google.com/a/continuum.io/d/optout\.

Hi Bryan,

are you aware of any websocket configuration I should have done in Django to have websocket url defined?

Radek

W dniu niedziela, 19 maja 2019 20:54:43 UTC+2 użytkownik Bryan Van de Ven napisał:

···

Hi,

You might have more success finding the most relevant expertise in an Apache support forum. I know even less about Apache than I do Nginx, so I am sorry I cannot be more direct help. Basic embedding Bokeh through a proxy means configuring it to forward the base url, the ws url, and the static url. If you figure out an Apache config for SSL please report back so we can incorporate that into our docs.

Thanks,

Bryan

On May 19, 2019, at 11:25 AM, Radek S [email protected] wrote:

Hi Bryan, thanks for your response.

I’ve tried with this configuration as well. Unfortunately any page of my application doesn’t work than, not only the one with bokeh visualisation.

Unfortunately I do not have any knowledge of Apache configuration and I have no idea what else might help.

Radek

W dniu niedziela, 19 maja 2019 19:40:38 UTC+2 użytkownik Bryan Van de Ven napisał:

Hi,

Offhand, you don’t appear to be proxying the websocket endpoints, which I believe is necessary. This is not an area of expertise for me, unfortunately, but everything that I know is contained in the examples in the docs:

    [https://bokeh.pydata.org/en/latest/docs/user_guide/server.html#basic-reverse-proxy-setup](https://bokeh.pydata.org/en/latest/docs/user_guide/server.html#basic-reverse-proxy-setup)

Thanks,

Bryan

On May 19, 2019, at 10:28 AM, Radek S [email protected] wrote:

I’m trying to deploy Django application with Bokeh visualisations on AWS Beanstalk.
Application works fine locally, but I’m unable to make it working on AWS. I’m using Beanstalk with single instance on Amazon Linux/2.8.3 and domain set with SSL redirection.
I think the issue is with Virtual Host settings. Below you may see the settings I use for SSL configuration.
<VirtualHost *:443>
<Directory /opt/python/current/app/build/static>
Order deny,allow
Allow from all

        SSLEngine on
        SSLCertificateFile "path to Certificate File"
        SSLCertificateKeyFile "path to Certificate Key File"
        SSLCipherSuite "Clipher string"
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder On
        SSLSessionTickets Off

        Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff

        ProxyPass / [http://localhost:80/](http://localhost:80/) retry=0
        ProxyPassReverse / [http://localhost:80/](http://localhost:80/)
        ProxyPreserveHost on
        RequestHeader set X-Forwarded-Proto "https" early
     </VirtualHost>

I’ve tried to add to this script settings for Bokeh server proxy:
• ProxyPass /dashboard http://127.0.0.1:5100/dashboard/

    • ProxyPassReverse /dashboard [http://127.0.0.1:5100/dashboard/](http://127.0.0.1:5100/dashboard/)

I’ve also tried to create a separate virtual host for port 80
<VirtualHost *:80>
ProxyPass /dashboard http://127.0.0.1:5100/dashboard/

        ProxyPassReverse  /dashboard [http://127.0.0.1:5100/dashboard/](http://127.0.0.1:5100/dashboard/)
     </VirtualHost>

When I run bokeh server on my EC2 instance with command “bokeh serve dashboard.py --port 5100 --use-xheaders --allow-websocket-origin=”*“” it doesn’t work and I receive connection error.

Any suggestions on this would be much appreciated.

Thanks
Radek


You received this message because you are subscribed to the Google Groups “Bokeh Discussion - Public” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/6c4b20da-38d7-475f-85a1-08f787d409ae%40continuum.io.
For more options, visit https://groups.google.com/a/continuum.io/d/optout.


You received this message because you are subscribed to the Google Groups “Bokeh Discussion - Public” group.

To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].

To post to this group, send email to [email protected].

To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/19aea52c-2277-4521-9d48-29ffbda888cb%40continuum.io.

For more options, visit https://groups.google.com/a/continuum.io/d/optout.

Hi, you should not need to configure anything in Django AFAIK. At least, I have never seen anything required for Flask, and I assume the same would hold true for Django. BokehJS itself takes care of setting up the websocket connection to the Bokeh server (which is why the proxy need to handle the ws endpoint). Speaking of which, if you want to lock the server down to only instantiate sessions originating from your Django code, you should consider using signed session ids, as demonstrated here:

  https://gist.github.com/bryevdv/481fc64c59620acb74c64bff0f4d47d0

Thanks,

Bryan

···

On May 19, 2019, at 12:39 PM, Radek S <[email protected]> wrote:

Hi Bryan,

are you aware of any websocket configuration I should have done in Django to have websocket url defined?

Radek

W dniu niedziela, 19 maja 2019 20:54:43 UTC+2 użytkownik Bryan Van de Ven napisał:
Hi,

You might have more success finding the most relevant expertise in an Apache support forum. I know even less about Apache than I do Nginx, so I am sorry I cannot be more direct help. Basic embedding Bokeh through a proxy means configuring it to forward the base url, the ws url, and the static url. If you figure out an Apache config for SSL please report back so we can incorporate that into our docs.

Thanks,

Bryan

> On May 19, 2019, at 11:25 AM, Radek S <[email protected]> wrote:
>
> Hi Bryan, thanks for your response.
>
> I've tried with this configuration as well. Unfortunately any page of my application doesn't work than, not only the one with bokeh visualisation.
> Unfortunately I do not have any knowledge of Apache configuration and I have no idea what else might help.
>
> Radek
>
> W dniu niedziela, 19 maja 2019 19:40:38 UTC+2 użytkownik Bryan Van de Ven napisał:
> Hi,
>
> Offhand, you don't appear to be proxying the websocket endpoints, which I believe is necessary. This is not an area of expertise for me, unfortunately, but everything that I know is contained in the examples in the docs:
>
> Bokeh server — Bokeh 3.3.2 Documentation
>
> Thanks,
>
> Bryan
>
> > On May 19, 2019, at 10:28 AM, Radek S <[email protected]> wrote:
> >
> > I'm trying to deploy Django application with Bokeh visualisations on AWS Beanstalk.
> > Application works fine locally, but I'm unable to make it working on AWS. I'm using Beanstalk with single instance on Amazon Linux/2.8.3 and domain set with SSL redirection.
> > I think the issue is with Virtual Host settings. Below you may see the settings I use for SSL configuration.
> > <VirtualHost *:443>
> > <Directory /opt/python/current/app/build/static>
> > Order deny,allow
> > Allow from all
> > </Directory>
> >
> > SSLEngine on
> > SSLCertificateFile "path to Certificate File"
> > SSLCertificateKeyFile "path to Certificate Key File"
> > SSLCipherSuite "Clipher string"
> > SSLProtocol All -SSLv2 -SSLv3
> > SSLHonorCipherOrder On
> > SSLSessionTickets Off
> >
> > Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
> > Header always set X-Frame-Options DENY
> > Header always set X-Content-Type-Options nosniff
> >
> > ProxyPass / http://localhost:80/ retry=0
> > ProxyPassReverse / http://localhost:80/
> > ProxyPreserveHost on
> > RequestHeader set X-Forwarded-Proto "https" early
> > </VirtualHost>
> > I've tried to add to this script settings for Bokeh server proxy:
> > • ProxyPass /dashboard http://127.0.0.1:5100/dashboard/
> > • ProxyPassReverse /dashboard http://127.0.0.1:5100/dashboard/
> > I've also tried to create a separate virtual host for port 80
> > <VirtualHost *:80>
> > ProxyPass /dashboard http://127.0.0.1:5100/dashboard/
> > ProxyPassReverse /dashboard http://127.0.0.1:5100/dashboard/
> > </VirtualHost>
> >
> > When I run bokeh server on my EC2 instance with command "bokeh serve dashboard.py --port 5100 --use-xheaders --allow-websocket-origin="*"" it doesn't work and I receive connection error.
> >
> > Any suggestions on this would be much appreciated.
> >
> > Thanks
> > Radek
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to bo...@continuum.io.
> > To post to this group, send email to bo...@continuum.io.
> > To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/6c4b20da-38d7-475f-85a1-08f787d409ae%40continuum.io\.
> > For more options, visit https://groups.google.com/a/continuum.io/d/optout\.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bo...@continuum.io.
> To post to this group, send email to bo...@continuum.io.
> To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/19aea52c-2277-4521-9d48-29ffbda888cb%40continuum.io\.
> For more options, visit https://groups.google.com/a/continuum.io/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Bokeh Discussion - Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit https://groups.google.com/a/continuum.io/d/msgid/bokeh/cc1a9766-ecc1-41e4-9d21-84cfa8335d65%40continuum.io\.
For more options, visit https://groups.google.com/a/continuum.io/d/optout\.

Hi Bryan,

I think I’ve configured websocket correctly, but I have issue with static files.

I do have path to static file folder managed by Django set in virtual host and it works fine.I copied Bokeh static files to this folder and files are available thorugh the browser (for example I can see content of “bokeh-widgets.min.css” file under the url https://domainname/static/css/bokeh-widgets.min.css). My bokeh application runs under the url https://domainname/dashboard, so when I try to load dashboard then it tries to load static files from https://domainname/dashboard/static url and it returns 404 error.

I’ve tried to create alias in virtualhost for dashboard/static to my django static folder, but it didn’t change anything.
I asume location of bokeh static files is managed by tornado internally. I’m not sure how could I redirect tornado to django static folder… I’ve tried to do it through modification of urls.py file (bokeh\server\urls.py):

toplevel_patterns = [
(r’/?’, RootHandler),
(‘https://domainname/static/(.*)’, StaticHandler), ]

This didn’t change anything unfortunately too.

Do you have any other suggestions?

Thanks,
Radek

Is there a specific reason you must move the BokehJS files? If you leave them in place and let Bokeh serve its own static folder, then I would expect the https://domainname/dashboard/static URLs to just work, as long as everything under https://domainname/dashboard/ is routed to the Bokeh server.

Hi Bryan,
I would prefer to not move static folder, but have no idea what else could I do to make bokeh working with ssl configuration (everything works fine with http…). I think I have done everything what was needed, but I still receive 404 error when browser try to access static files.

So, I am fairly certain there is a way to configure Apache/SSL things so that accessing the static files from the Bokeh server at its URL works, but unfortunately I have zero experience with Apache so I cannot be of help with that. So at this point, for my part, I can only start suggesting things that I’d consider less than optimal.

The Resources object (which controls the URL to look for BokehJS files) that the app uses is obtained from the BokehTornado.resources() method. So, if you run the Bokeh server programmatically, e.g. as in the tornado_embed.py example, then you could subclass or monkeypatch that resources method to return a Resources object with a root_url configured to point wherever you want (i.e. your top-level Django static dir).

I would say this points to a need to have the resources location be more easily configurable via standard bokeh serve, so I’d encourage you to submit a GitHub issue to discuss it.