Getting 404 errors when trying to reach _stcore/health and _stcore/allowed_messages_origins using nginx proxy on AWS EC2

pim · February 20, 2023, 1:18pm

After some back and forth I have been able to load the javascript and css files from Streamlit.
However, the application will not load fully and displays “Please Wait”. The cause of which seems to be that 404s are returned for the get requests “/_stcore/health” and “/_stcore/allowed_message_origins”

What I have checked:
I have looked through the deployment list and found many topics that list the “please wait”, but there the causes seems to be different.
Furthermore, many of the articles about this seem to have be written when /healthz was still used, so I have not found useful pointers there.
I have also looked through many articles such as Streamlit, docker, Nginx, ssl/https - Deployment - Streamlit and Streamlit with Nginx. Configuration for Nginx and Streamlit… | by Raja CSP Raman | featurepreneur | Medium, but those all seem not to mention the (new?) /stcore/health check.

My situation:

I am hosting on AWS EC2 (as a proof of concept, will use containers when this this works)
I am behind a nginx proxy. This functions well for a simple flask server, and it does show the streamlit loading page, so connection to streamlit seems to work well
I suspect it might be a SSL issue, as nginx is currently listening on port 80. In AWS I have configured the ALB to use port 443 for ssl.

Nginx relevant parts of config:

location = / {
                proxy_pass http://IP:8502/;
                proxy_http_version 1.1;
                proxy_redirect off;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_read_timeout 86400;
        }

        location ^~ /static {
                proxy_pass http://127.0.0.1:8502/static/;
        }
        location ^~ /vendor {
                proxy_pass http://127.0.0.1:8502/vendor;
        }

       location ^~ /health {
               proxy_pass http://127.0.0.1:8502/_stcore/health;
       }

Here is config.toml

[server]
port=8502 
headless=true
enableCORS=false
enableXsrfProtection=false
enableWebsocketCompression=false

[browser]
serverPort = 443

Streamlit, version 1.18.1

This seems to work for the static folder, but not for the health check (and allowed_messages_origins)

Does anyone have an idea / pointer on how to resolve this?

Any help or ideas would be much appreciated!

ksdaftari · March 7, 2023, 6:39pm

@pim we are running to potential similar issue. curious did you end up getting anything figure out for this, if so would you mind sharing solution?

Think_Big_Data_Analy · March 11, 2023, 6:57pm

@pim I do have the same problem, I running in AWS EKS with nginx for reverse proxy, please let me know if there is any solution for this issue.

pim · March 14, 2023, 1:57pm

Hey @ksdaftari and @Think_Big_Data_Analy

Cool to know you are working on a similar setup.
I’m still working on it, but seem to have a sort-of (though slow and unreliable and not secure) proof of concept up and running.

I ran into so many issues that I am not sure again what fixed what, and probably half of these changes are not even necessary, but here are some things I see that are different than my nginx and config.toml above:

I changed the name of the url that streamlit runs on in config.toml and then added the same url in nginx
I have added the allowed-messages and health and forwarded them to the port
I also (tried to) turn of some of the CSP policies. Of course, my plan is to add this back on when this fully works

server {
    listen       80;
    listen       [::]:80;
    server_name url-that-your-service-will-run-on-example.com www.url-that-your-service-will-run-on-example.com

   location = / {
            proxy_pass http://****:8501/;
            proxy_http_version 1.1;
            proxy_redirect off;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;

    location ^~ /static {
            proxy_pass http://127.0.0.1:8501/static/;
    }
    location ^~ /vendor {
            proxy_pass http://127.0.0.1:8501/vendor;
    }

    location = /_stcore/health {
            proxy_pass http://******:8501/_stcore/health;
    }

    location = /_stcore/allowed-message-origins {
            proxy_pass http://*******:8501/_stcore/allowed-message-origins;
    }

    location = /_stcore/stream {
            proxy_pass http://*****:8501/_stcore/stream;
            proxy_http_version 1.1;
            proxy_redirect off;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 86400;
    }

    add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline';" always;
}

In config.toml

serverAddress = “url-that-your-service-will-run-on-example.com”

Let me know if that helps / gets you a bit closer!