Redirection issue on Marimo app deployed behind the proxy

[barseghyanartur]

Describe the bug

I have deployed a Marimo app on Google Cloud Run behind an Nginx proxy. The app runs on port 8081 inside the Docker image.

When I visit the app at https://my-marimo-app.europe-west4.run.app, I get redirected to https://localhost:8081/auth/login?next=https%3A%2F%2Flocalhost%3A8081%2F.

However, if I visit the login page directly at https://my-marimo-app.europe-west4.run.app/auth/login, the app works as expected.

Environment

Marimo app on Google Cloud Run
Nginx proxy

Code to reproduce

No response

[mscolnick]

@barseghyanartur how are you running your marimo app? what is the last line in your dockerfile?

[barseghyanartur]

It's an ENTRYPOINT pointing to a shell script.

The last line of the corresponding shell script is:

exec marimo run app.py --token --token-password "$TOKEN_PASSWORD" --headless -p 8081 --host 0.0.0.0

The Cloud Run config exposes the port 8080, on which Nginx runs.

The Nginx config:

worker_processes auto;
events {
    worker_connections 1024;
}

http {
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        listen 8080;
        server_name _;

        # Increase the client body size if needed
        client_max_body_size 50M;

        # Proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        # Pass all headers
        proxy_pass_request_headers on;

        # Increase timeouts for long-running requests
        proxy_read_timeout 300;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;

        location / {
            proxy_pass http://localhost:8081;

            # Pass authentication token
            proxy_set_header Authorization $http_authorization;

            # Additional headers that might be needed
            proxy_set_header X-Scheme $scheme;

            # Preserve original headers
            proxy_set_header X-Original-URI $request_uri;
        }

        location /media/ {
            alias /usr/share/nginx/html/media/;
            expires 1d;
            add_header Cache-Control "public, max-age=86400";
        }

        # WebSocket specific location
        location /ws {
            proxy_pass http://localhost:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }
}

[dmadisetti]

You should specify proxy:

marimo run app.py --token --token-password "$TOKEN_PASSWORD" --headless -p 8081 --proxy=my-marimo-app.europe-west4.run.app --host 0.0.0.0

Let us know if that works. But also, did you refer to any specific docs when setting this up? wondering if we need to update somewhere

[mscolnick]

If @dmadisetti's suggestion does not work, this seems related: encode/starlette#604, which suggests to add the host as a header in the nginx proxy (which looks like you have done)

[barseghyanartur]

@dmadisetti:

Thanks for the tip. Unfortunately, that doesn't work. I'm still getting redirects to localhost:8081.

I did not refer to a specific section in docs. I've checked the deployment, but specific cloud part was not present, so I went for the Docker setup (Cloud Run). I think it would be useful to add some functional examples of how to do that. Also, a complete example of how to do OAuth (for instance, authenticate with Google account) would be great to include. Token security is very useful, but not as user-friendly as OAuth.

@mscolnick:

Thanks for the heads-up! It's a bit unrelated, but the reason I eventually went for proxy setup is that I couldn't find an easy way to serve media files with Marimo. I saw I can pass bytes to components, but in my case, I want to move more complex JavaScript functionality outside the Marimo and rather serve the extras using iframes from the within Marimo (which works). If putting Marimo behind the proxy doesn't work, my plan B is to simply use buckets (which will work).

Sorry if I overwhelm you with questions. I'm on my learning path. Overal, I'm quite happy with Marimo. Thanks for this amazing project!

[mscolnick]

@barseghyanartur, you might prefer deploying marimo as a route to a FastAPI application: https://docs.marimo.io/guides/deploying/programmatically/

Even if its just one route, you can add your own middleware, such as an OAuth2 middleware in fastapi. You can also add other routes for media files.

Your Docker setup would look similar too, just a different cmd to launch the app (whatever fastapi recommends). Here is a full example

[dmadisetti]

I'm still getting redirects to localhost:8081.

So a bit of a bug (sort of? The behavior is also benign), but this will happen if you do not hit the endpoint with the token too. Are you hitting http://my-marimo-app.europe-west4.run.app?token=my-token or leaving out the token bit in testing?

[barseghyanartur]

I'm still getting redirects to localhost:8081.

So a bit of a bug (sort of? The behavior is also benign), but this will happen if you do not hit the endpoint with the token too. Are you hitting http://my-marimo-app.europe-west4.run.app?token=my-token or leaving out the token bit in testing?

Both (with token or without) redirect to localhost:8081.