proxy: Access CMS instances through subpaths

Expose CogStack ModelServe instances (services listening on port 8000)
as subpaths through the proxy, alleviating the need to hardcode host
port mappings in the client applications. Instead, requests to
`/cms/<service>` are forwarded to `<service>:8000` internally using the
Docker DNS resolver. This also allows us to access user-deployed CMS
instances through the proxy without any configuration changes.

The rest of the services included in the stack (e.g. Grafana, MLflow)
are still available through their respective host port mappings. Even
though efforts were made to integrate them as subpaths, they are not
fully supported at this stage. More specifically, while accessing
exact paths through their APIs might be possible, accessing their web
interfaces when using subpaths is problematic, due to the way these
external services handle redirects. Even though we employ certain
heuristics to rewrite local URLs we can't account for all possible
cases, e.g. local paths in HTML responses. This is a known limitation
that should be addressed in future iterations.

Signed-off-by: Phoevos Kalemkeris <[email protected]>

Author: phoevos

docker-compose-proxy.yml

@@ -23,13 +23,10 @@ services:
       - http_proxy=$HTTP_PROXY
       - https_proxy=$HTTPS_PROXY
       - no_proxy=localhost
+    expose:
+      - 443
     ports:
-      - 28180:28180 # medcat-snomed
-      - 28181:28181 # medcat-icd10
-#      - 28182:28182 # de-identification (deprecated)
-      - 28183:28183 # medcat-deid (anoncat)
-      - 28184:28184 # medcat-umls
-      - 28185:28185 # huggingface-ner
+      - 443:443     # cms
       - 28199:28199 # minio
       - 28200:28200 # mlflow-ui
       - 28201:28201 # prometheus
@@ -43,4 +40,4 @@ services:
 
 networks:
   cogstack-model-serve_cms:
-    external: true
+    external: true

docker/nginx/etc/nginx/nginx.conf

@@ -16,21 +16,85 @@ http {
     client_max_body_size 500M;
 
     server {
+        listen 443 ssl http2;
+        listen [::]:443 ssl http2;
+        server_name localhost;
+
+        add_header Strict-Transport-Security "max-age=31536000" always;
+
+        ssl_session_cache shared:SSL:20m;
+        ssl_session_timeout 10m;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        resolver 8.8.8.8 8.8.4.4;
+
+        ssl_certificate /etc/nginx/root-ca.pem;
+        ssl_certificate_key /etc/nginx/root-ca.key;
+
+        access_log /var/log/nginx/access.log;
+        error_log /var/log/nginx/error.log;
+
         location /health {
             include cors.conf;
             access_log off;
             return 200 "OK\n";
         }
+
+        location ~ ^/cms/(?<service>[^/]+)(?<subpath>/.*)?$ {
+            include cors.conf;
+            resolver 127.0.0.11 valid=30s;
+            set $upstream $service:8000;
+
+            # FIXME: Access web interfaces (e.g. Grafana, MLflow) through subpaths on the proxy.
+            # The following services only work when accessed directly through their respective APIs.
+            # Attempting to access their UI through the proxy leads to issues due to the way they
+            # handle redirects (even though we can employ certain heuristics to rewrite local URLs
+            # we can't account for all possible cases, e.g. local paths in HTML responses). As a
+            # result, accessing these web intercases through the proxy is only possible using the
+            # available host port mappings instead of the subpaths under /cms for the time being.
+            if ($service = "grafana") {
+                set $upstream $service:3000;
+            }
+
+            if ($service = "graylog") {
+                set $upstream $service:9000;
+            }
+
+            if ($service = "minio") {
+                set $upstream $service:9001;
+            }
+
+            if ($service = "mlflow-ui") {
+                set $upstream $service:5000;
+            }
+
+            if ($service = "prometheus") {
+                set $upstream $service:9090;
+            }
+
+            proxy_pass http://$upstream$subpath;
+
+            proxy_redirect http://$upstream$subpath $scheme://$host/cms/$service$subpath;
+            proxy_redirect http://$upstream/ $scheme://$host/cms/$service/;
+            proxy_redirect http://$upstream $scheme://$host/cms/$service;
+            proxy_redirect / $scheme://$host/cms/$service/;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            error_page 502 503 504 = @fallback;
+        }
+
+        location @fallback {
+            return 503 "Service is temporarily unavailable. Please try again later.";
+        }
     }
 
-    include sites-enabled/medcat-snomed;
-    include sites-enabled/medcat-icd10;
-    include sites-enabled/medcat-deid;
-    include sites-enabled/medcat-umls;
-    include sites-enabled/huggingface-ner;
-    include sites-enabled/mlflow-ui;
-    include sites-enabled/minio;
-    include sites-enabled/prometheus;
-    include sites-enabled/grafana;
-    include sites-enabled/graylog;
-}
+    include sites-enabled/*;
+}