Rasa X docker-compose with nginx on host

[Deprecated] Rasa X Community Edition
1

Hi,

I’m trying to install Rasa X on my Ubuntu 18.04 server using docker-compose. But I want to make one change to the setup: The nginx proxy should run on the host, since I already have nginx running on the host and using port 443, since I use it for multiple services. I also think this is a common pattern and other users might have an interest to do so as well.

I’ve made published the ports of rasa-x and rasa-x-production. And I’ve copied/adapted most of the nginx server-config to my host nginx:

upstream docker-stack {
  server 127.0.0.1:5005 max_fails=0;
}

upstream docker-rasax-api {
  server 127.0.0.1:5002 max_fails=0;
}

server {
  server_name   rasa.example.com;
  listen 443 ssl; # managed by Certbot

  keepalive_timeout   30;
  client_max_body_size 800M;

  location /robots.txt {
    return 200 "User-agent: *\nDisallow: /\n";
  }

  location /core/ {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
    proxy_pass http://docker-stack/;
  }

  # avoid users having to change how they configure
  # their credentials URLs between Rasa and Rasa X
  location /webhooks/ {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
    proxy_pass http://docker-stack/webhooks/;
  }

  location /socket.io {
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass http://docker-stack/socket.io;
  }
  location /socket.io {
    proxy_http_version 1.1;
    proxy_buffering off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_pass http://docker-stack/socket.io;
  }

  location /api/ws {
    # following https://www.serverlab.ca/tutorials/linux/web-servers-linux/how-to-configure-nginx-for-websockets/
    # This directive converts the incoming connection to HTTP 1.1, which is
    # required to support WebSockets. The older HTTP 1.0 spec does not provide support
    # for WebSockets, and any requests using HTTP 1.0 will fail.
    proxy_http_version 1.1;
    # Converts the proxied connection to type Upgrade. WebSockets only communicate on
    # Upgraded connections.
    proxy_set_header Upgrade $http_upgrade;
    # Ensure the Connection header value is upgrade
    proxy_set_header Connection "upgrade";

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
    proxy_pass http://docker-rasax-api/api/ws;
  }

  location / {
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
    proxy_pass http://docker-rasax-api/;
  }

  # pass chat message to production service if environment query parameter
  # is set to `production`, or that parameter isn't set
  location /api/chat$ {
    if ($arg_environment = "") {
        rewrite ^ /core/webhooks/rasa/webhook last;
    }
    if ($arg_environment = "production") {
        rewrite ^ /core/webhooks/rasa/webhook last;
    }
    proxy_pass http://docker-rasax-api/api/chat;
  }

  location /nginx_status {
    stub_status on;

    access_log off;
    allow 127.0.0.1;
    deny all;
  }

  ssl_certificate /etc/letsencrypt/live/rasa.example.com/fullchain.pem; # managed by Certbot
  ssl_certificate_key /etc/letsencrypt/live/rasa.example.com/privkey.pem; # managed by Certbot
  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

  # security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer-when-downgrade" always;
  add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  proxy_pass_header       X-CSRFToken;
  proxy_set_header        Host $http_host;
  proxy_pass_header       Set-Cookie;

}

server {
  if ($host = rasa.example.com) {
      return 301 https://$host$request_uri;
  } # managed by Certbot


  listen        80;
  server_name   rasa.example.com;
  return 404; # managed by Certbot
}

When accessing the site from the browser, it loads favicon, some JS, CSS and images. But the site stays blank. The following JS error is thrown:

Uncaught EvalError: call to eval() blocked by CSP
    srcIndexTs 2.3abaf8aa.chunk.js:2
    n 2.3abaf8aa.chunk.js:2
    factory 2.3abaf8aa.chunk.js:2
    factory 2.3abaf8aa.chunk.js:2
    <anonymous> 2.3abaf8aa.chunk.js:2
    a (index):1
    146 main.78249d7a.chunk.js:2195
    a (index):1
    18 main.78249d7a.chunk.js:10385
    a (index):1
    1934 main.78249d7a.chunk.js:12085
    a (index):1
    t (index):1
    r (index):1
    <anonymous> main.78249d7a.chunk.js:2
2.3abaf8aa.chunk.js:2:386050

Does someone have an idea?

1 Like