NPM fail on frontend image build / 403 Referrer Policystrict-origin-when-cross-origin

[EvoXCX]

Describe the bug
Issue #205 is probably same nature problem

Hello,

I tried to build image frontend image with Docker 26.0.0 and docker-compose 1.29.2 and I get this error

 > [ciso_frontend builder 6/8] RUN npm ci:
9.576 npm WARN ERESOLVE overriding peer dependency
9.580 npm WARN While resolving: @sveltejs/[email protected]
9.580 npm WARN Found: [email protected]
9.580 npm WARN node_modules/vite
9.580 npm WARN   dev vite@"^5.0.0" from the root project
9.581 npm WARN   10 more (@storybook/builder-vite, @storybook/svelte-vite, ...)
9.581 npm WARN
9.582 npm WARN Could not resolve dependency:
9.582 npm WARN peer vite@"^4.0.0" from @sveltejs/[email protected]
9.582 npm WARN node_modules/@storybook/svelte-vite/node_modules/@sveltejs/vite-plugin-svelte
9.582 npm WARN   @sveltejs/vite-plugin-svelte@"^2.4.2" from @storybook/[email protected]
9.582 npm WARN   node_modules/@storybook/svelte-vite
9.582 npm WARN   1 more (@sveltejs/vite-plugin-svelte-inspector)
9.583 npm WARN
9.583 npm WARN Conflicting peer dependency: [email protected]
9.583 npm WARN node_modules/vite
9.584 npm WARN   peer vite@"^4.0.0" from @sveltejs/[email protected]
9.584 npm WARN   node_modules/@storybook/svelte-vite/node_modules/@sveltejs/vite-plugin-svelte
9.584 npm WARN     @sveltejs/vite-plugin-svelte@"^2.4.2" from @storybook/[email protected]
9.584 npm WARN     node_modules/@storybook/svelte-vite
9.585 npm WARN     1 more (@sveltejs/vite-plugin-svelte-inspector)
9.637 npm WARN ERESOLVE overriding peer dependency
9.639 npm WARN While resolving: @sveltejs/[email protected]
9.639 npm WARN Found: [email protected]
9.639 npm WARN node_modules/vite
9.640 npm WARN   dev vite@"^5.0.0" from the root project
9.641 npm WARN   10 more (@storybook/builder-vite, @storybook/svelte-vite, ...)
9.641 npm WARN
9.641 npm WARN Could not resolve dependency:
9.642 npm WARN peer vite@"^4.0.0" from @sveltejs/[email protected]
9.643 npm WARN node_modules/@storybook/svelte-vite/node_modules/@sveltejs/vite-plugin-svelte/node_modules/@sveltejs/vite-plugin-svelte-inspector
9.643 npm WARN   @sveltejs/vite-plugin-svelte-inspector@"^1.0.4" from @sveltejs/[email protected]
9.643 npm WARN
9.644 npm WARN Conflicting peer dependency: [email protected]
9.644 npm WARN node_modules/vite
9.645 npm WARN   peer vite@"^4.0.0" from @sveltejs/[email protected]
9.645 npm WARN   node_modules/@storybook/svelte-vite/node_modules/@sveltejs/vite-plugin-svelte/node_modules/@sveltejs/vite-plugin-svelte-inspector
9.646 npm WARN     @sveltejs/vite-plugin-svelte-inspector@"^1.0.4" from @sveltejs/[email protected]
36.55 npm WARN deprecated [email protected]: Use your platform's native atob() and btoa() methods instead
38.12 npm WARN deprecated [email protected]: Use your platform's native DOMException instead
51.97
51.97 > [email protected] postinstall
51.97 > paraglide-js compile --project ./project.inlang
51.97
53.03 ℹ [paraglide] Compiling inlang project at "./project.inlang".
53.12
53.12  WARN  Could not find repository root for path /app/project.inlang
53.12
64.40
64.40  WARN  The project has errors:
64.40
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/message-lint-rule-empty-pattern@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/message-lint-rule-identical-pattern@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/message-lint-rule-missing-translation@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/message-lint-rule-without-source@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/message-lint-rule-valid-js-identifier@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/plugin-message-format@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.42
64.42  ERROR  Couldn't import the plugin "https://cdn.jsdelivr.net/npm/@inlang/plugin-m-function-matcher@latest/dist/index.js":
64.42
64.42 TypeError: fetch failed
64.42
64.42
64.42   TypeError: fetch failed
64.42   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21488:25)
64.42   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.42
64.43
64.43  ERROR  No plugin provides a loadMessages() or saveMessages() function
64.43
64.43 In case no plugin threw an error, you likely forgot to add a plugin that handles the loading and saving of messages. Refer to the marketplace for available plugins https://inlang.com/marketplace.
64.43
64.43
64.43   In case no plugin threw an error, you likely forgot to add a plugin that handles the loading and saving of messages. Refer to the marketplace for available plugins https://inlang.com/marketplace.
64.43   at resolvePlugins (node_modules/@inlang/paraglide-js/dist/index.js:21454:24)
64.43   at resolveModules (node_modules/@inlang/paraglide-js/dist/index.js:21529:33)
64.43   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
64.43
64.47 npm ERR! code 1
64.47 npm ERR! path /app
64.47 npm ERR! command failed
64.48 npm ERR! command sh -c paraglide-js compile --project ./project.inlang
64.48
64.48 npm ERR! A complete log of this run can be found in: /root/.npm/_logs/2024-04-08T14_58_57_711Z-debug-0.log
------
failed to solve: process "/bin/sh -c npm ci" did not complete successfully: exit code: 1

I'm behind reverse proxy I don't think the problem come from that since packages are retrieved at the start.

Here is my docker-compose.yml

services:
  ciso_backend:
    container_name: ciso_backend
    hostname: ciso_backend
    build: ./backend
    restart: always
    environment:
      - ALLOWED_HOSTS=backend
      - CISO_ASSISTANT_URL=https://ciso.domain.com
      - DJANGO_DEBUG=False
      # DB
      - POSTGRES_NAME=ciso
      - POSTGRES_USER=ciso_user
      - POSTGRES_PASSWORD=<password>
      - DB_HOST=ciso_db
      - DB_PORT=5432
      # Email
      - [email protected]
      - EMAIL_HOST=<smtp_host>
      - EMAIL_PORT=25

  ciso_frontend:
    container_name: ciso_frontend
    hostname: ciso_frontend
    build: ./frontend
    restart: always
    environment:
      - PUBLIC_BACKEND_API_URL=http://ciso_backend:8000/api
      - PROTOCOL_HEADER=x-forwarded-proto
      - HOST_HEADER=x-forwarded-host
    depends_on:
      - ciso_backend
    ports:
      - 127.0.0.1:8001:8000

  ciso_db:
    image: docker.io/postgres:latest
    container_name: ciso_db
    hostname: ciso_db
    restart: always
    environment:
      - POSTGRES_USER=ciso_user
      - POSTGRES_PASSWORD=<password>
      - POSTGRES_DB=ciso
    volumes:
      - /srv/cisoassistant/data:/var/lib/postgres/data

To Reproduce
Steps to reproduce the behavior:

1. Clone repo
2. Configure Dockerfile to use proxy
3. Adapt docker-compose.yml to my need
4. Build image before compose up

Expected behavior
A working image.

Environment (please complete the following information):

• Device: Server (VM)
• OS: Debian
• Version 12.5

Additional context
I builded it successfully on Fedora 39 clean install, but can't import image to another docker node.

When I import it and launch, it say me that the image have no command.

[Mohamed-Hacene]

Hello @EvoXCX thanks for your report, yes you have surely the same problem than #205. I'll put my answers on the original issue to avoid duplicating them if this also corrects your problem. In the meanwhile, I let this issue opened in case it turns out to be different.

[Mohamed-Hacene]

@EvoXCX, could you update your docker compose version and re-try it to be sure it's not related to it ?
Be sure to update docker compose and not docker-compose. The use of docker-compose is deprecated. see: migrate to compose V2

[EvoXCX]

@Mohamed-Hacene I used docker compose too and neither work

[EvoXCX]

If is something I can do to help you to fix that ask me :)

[Mohamed-Hacene]

@EvoXCX thanks a lot ! It could be very useful to try without any proxy in your configuration. I've re-done the installation from scratch and I can't get the same error, the only thing I notice in common between the two issues is that you are behind a proxy.

[EvoXCX]

@Mohamed-Hacene Yeah proxy seem to be the problem but this is mandatory in my case, although it's weird because it's not a problem with installation (network) but with compiling, I'm investigating in the frontend container not fully builded to understand how it works exactly step by step.

[EvoXCX]

Let me know if you have a fix for this issue before me ;)

P.S: Building image on another docker node and importing do not work because no command at image start.

[Mohamed-Hacene]

Thanks for your help, I hope this isn't due to dependencies, as they are external to our application.

We're also working on publishing our images to avoid this kind of problem. That way, you'll be able to compile them, proxy or not without a hitch ;)

[EvoXCX]

This is a very good news !!!

When you think your image will be published ? I ask you that because this tool will help me to migrate to NIS2 in my context :)

I will update issue if I found something useful to solve this.

[Mohamed-Hacene]

As soon as possible, we first make sure they work on different configurations.
Once again, thank you for your help and patience.

[EvoXCX]

@Mohamed-Hacene It work with your images on ghcr.

But I think I found a bug, let me explain:

If you modify in docker-compose.yml hostname of containers backend and/or frontend an 500 internal error occur and give this message

Invalid HTTP_HOST header: 'ciso_backend:8000'. The domain name provided is not valid according to RFC 1034/1035.
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/utils/deprecation.py", line 133, in __call__
    response = self.process_request(request)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/middleware/common.py", line 48, in process_request
    host = request.get_host()
           ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/django/http/request.py", line 151, in get_host
    raise DisallowedHost(msg)
django.core.exceptions.DisallowedHost: Invalid HTTP_HOST header: 'ciso_backend:8000'. The domain name provided is not valid according to RFC 1034/1035.
Bad Request: /api/csrf/

Working when back to backend and frontend hostname.
Maybe a hardcoded value in backend or frontend ?

In my docker-compose.yml there is the ALLOWED_HOST defined on my backend, don't know if this change something.

[EvoXCX]

Oups fail, I get login page but can't login, when I click on login button nothing happen.
Same on password reset page.

Nginx (Reverse) Log

"POST /login?next=/ HTTP/1.1" 403 60 "https://cisoassistant.domain.com/login?next=/" "Mozilla/5.0 (Windows NT 10.0; rv:121.0) Gecko/20100101 Firefox/121.0"

[Mohamed-Hacene]

Hi @EvoXCX,

If nothing happens at login, knowing your error, it's because the frontend can't communicate with the backend (it receives no response) or doesn't get the cookie/session_id to be able to communicate. Could I see your docker-compose.yml to see if everything is ok in the configuration ?

[EvoXCX]

Here is my new configuration

services:
  backend:
    image: ghcr.io/intuitem/ciso-assistant-community/backend:latest
    container_name: ciso_backend
    hostname: backend
    restart: always
    environment:
      - ALLOWED_HOSTS=backend
      - CISO_ASSISTANT_URL=https://cisoassistant.domain.com
      - DJANGO_DEBUG=True
      # DB
      - POSTGRES_NAME=ciso
      - POSTGRES_USER=ciso_user
      - POSTGRES_PASSWORD=<password>
      - DB_HOST=ciso_db
      - DB_PORT=5432
      # Email
      - [email protected]
      - EMAIL_HOST=<smtp_server>
      - EMAIL_PORT=25

  frontend:
    image: ghcr.io/intuitem/ciso-assistant-community/frontend:latest
    container_name: ciso_frontend
    hostname: frontend
    restart: always
    environment:
      - PUBLIC_BACKEND_API_URL=http://backend:8000/api
      - PROTOCOL_HEADER=x-forwarded-proto
      - HOST_HEADER=x-forwarded-host
    depends_on:
      - backend
    ports:
      - 127.0.0.1:3000:3000

  ciso_db:
    image: docker.io/postgres:latest
    container_name: ciso_db
    hostname: ciso_db
    restart: always
    environment:
      - POSTGRES_USER=ciso_user
      - POSTGRES_PASSWORD=<password>
      - POSTGRES_DB=ciso
      - PGDATA=/var/lib/postgres/data
    volumes:
      - /srv/cisoassistant/data:/var/lib/postgres/data

[Mohamed-Hacene]

Ok, at first glance I don't see anything problematic. Could I also see your containers logs when you try to login ?

[ab-smith]

Hello @EvoXCX ,
we’ve switched to prebuilt images with #228 . Update your repo and it should be better.
Regards

[EvoXCX]

Hey @Mohamed-Hacene sorry for the late response but, I updated all images to the latest version and had the same error as described before, can't login.

Here is my log front my backend

2024-04-15T06:53:03.781987Z [info     ] BASE_DIR: /code                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:03.782307Z [info     ] VERSION: v1.0.8                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:03.782546Z [info     ] BUILD: 07c5855                 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:03.783259Z [info     ] DEBUG mode: True               [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:03.783450Z [info     ] CISO_ASSISTANT_URL: https://ciso.domain.com [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:03.783786Z [info     ] ALLOWED_HOSTS: ['backend']     [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:03.784337Z [info     ] DATABASE ENGINE: django.db.backends.postgresql_psycopg2 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.413983Z [info     ] BASE_DIR: /code                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.414237Z [info     ] VERSION: v1.0.8                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.414622Z [info     ] BUILD: 07c5855                 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.415232Z [info     ] DEBUG mode: True               [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.415421Z [info     ] CISO_ASSISTANT_URL: https://ciso.domain.com [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.415691Z [info     ] ALLOWED_HOSTS: ['backend']     [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:07.415972Z [info     ] DATABASE ENGINE: django.db.backends.postgresql_psycopg2 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com

36 static files copied to '/code/static'.
2024-04-15T06:53:08.831324Z [info     ] BASE_DIR: /code                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:08.831592Z [info     ] VERSION: v1.0.8                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:08.831843Z [info     ] BUILD: 07c5855                 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:08.832419Z [info     ] DEBUG mode: True               [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:08.832623Z [info     ] CISO_ASSISTANT_URL: https://ciso.domain.com [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:08.832852Z [info     ] ALLOWED_HOSTS: ['backend']     [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:08.833243Z [info     ] DATABASE ENGINE: django.db.backends.postgresql_psycopg2 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
Operations to perform:
  Apply all migrations: auth, cal, contenttypes, core, iam, sessions
Running migrations:
  No migrations to apply.
startup handler: initialize database
[2024-04-15 06:53:12 +0000] [1] [INFO] Starting gunicorn 21.2.0
[2024-04-15 06:53:12 +0000] [1] [INFO] Listening at: http://0.0.0.0:8000 (1)
[2024-04-15 06:53:12 +0000] [1] [INFO] Using worker: sync
[2024-04-15 06:53:12 +0000] [61] [INFO] Booting worker with pid: 61
2024-04-15T06:53:12.606833Z [info     ] BASE_DIR: /code                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:12.607093Z [info     ] VERSION: v1.0.8                [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:12.607555Z [info     ] BUILD: 07c5855                 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:12.608231Z [info     ] DEBUG mode: True               [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:12.608465Z [info     ] CISO_ASSISTANT_URL: https://ciso.domain.com [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:12.608773Z [info     ] ALLOWED_HOSTS: ['backend']     [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:12.609262Z [info     ] DATABASE ENGINE: django.db.backends.postgresql_psycopg2 [ciso_assistant.settings] ciso_assistant_url=https://ciso.domain.com
2024-04-15T06:53:59.602665Z [info     ] request_started                [django_structlog.middlewares.request] ciso_assistant_url=https://ciso.domain.com ip=192.168.112.4 request=GET /api/csrf/ request_id=ce0a837a-dfb3-4bfa-98dc-5d9c42ef6111 user_agent=node user_id=None
2024-04-15T06:53:59.623017Z [info     ] request_finished               [django_structlog.middlewares.request] ciso_assistant_url=https://ciso.domain.com code=200 ip=192.168.112.4 request=GET /api/csrf/ request_id=ce0a837a-dfb3-4bfa-98dc-5d9c42ef6111 user_id=None
2024-04-15T06:53:59.798965Z [info     ] request_started                [django_structlog.middlewares.request] ciso_assistant_url=https://ciso.domain.com ip=192.168.112.4 request=GET /api/csrf/ request_id=7a0953c9-96fb-4f6e-8ab0-3c4c018f184c user_agent=node user_id=None
2024-04-15T06:53:59.802464Z [info     ] request_finished               [django_structlog.middlewares.request] ciso_assistant_url=https://ciso.domain.com code=200 ip=192.168.112.4 request=GET /api/csrf/ request_id=7a0953c9-96fb-4f6e-8ab0-3c4c018f184c user_id=None

There is no log in frontend except this line:

Listening on 0.0.0.0:3000

Here is log from Firefox dev tools about request send when clicked on login

Status
403
Forbidden
VersionHTTP/1.1
Transferred266 B (60 B size)
Referrer Policystrict-origin-when-cross-origin
Request PriorityHighest
DNS ResolutionSystem

I use Nginx as reverse proxy, is something wrong with my proxy_pass config or proxy_header ?

server {
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl_certificate /etc/ssl/ciso/ciso.domain.com.crt;
        ssl_certificate_key /etc/ssl/ciso/ciso.domain.com.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_tickets off;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
        ssl_prefer_server_ciphers off;

        add_header Strict-Transport-Security "max-age=63072000" always;

        server_name ciso.domain.com;
        location / {
                proxy_pass      http://127.0.0.1:3000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

[EvoXCX]

Hey, @Mohamed-Hacene @ab-smith I pulled 1.0.9 and it didn't work neither

[Mohamed-Hacene]

Hey @EvoXCX, could you try to add ORIGIN environment variable inside frontend service, with the same value than CISO_ASSISTANT_URL on backend side. It should be ORIGIN="https://ciso.domain.com" in your case normally.

[EvoXCX]

It work !!!
Thank you @Mohamed-Hacene and @ab-smith 😄