-
Notifications
You must be signed in to change notification settings - Fork 179
WMS GetMap Request with style=contour Returns Error #1353
Comments
It does look like it's an issue with the contouring routine. Are there any stacktraces in the log files generated by either TDS? They might show up in the |
None that I can see. Do I need to adjust the log level?
|
Hmmm...anything in the TDS log |
As a matter of fact there is:
|
This sounds a little similar to this issue: I notice the 404 when doing a transect, which I believe uses the same kind of java 2d calls as the vertical profile (from the issue above) and contour requests. For example, this fails with the 404: The underlying issue at play in the thredds-docker issue above was related to a libz version mismatch (see Unidata/thredds-docker#234 (comment)). I'm pretty sure that was present in versions 4.6.14 and earlier of the docker container. |
@lesserwhirls do you think upgrading to a newer version of the docker container would resolve this issue? |
It's worth a try. |
I just upgraded it to However, running one of the individual GetMap requests works fine: Any ideas what would cause this behavior? |
Same behavior with |
So the issue we fixed by upgrading was producing a 500 error from the TDS. Based on the response header, we're now getting a 403, which means the server was able to understand the request, but it is refusing to fulfill it. The fact that you can make a direct request means that it's likely the 403 is getting generated somewhere along the connection between Nginx and Tomcat, but likely not at the TDS level. I would suggest looking into the Nginx and Tomcat logs to see if you can get any more information there. It could be something particular to the way your proxy is configured. |
@lesserwhirls the only thing I saw in the tomcat/nginx logs ( I also inspected the
Accessing that same endpoint in a new tab (outside of the web app) yields a
How do I configure the log level for the thredds server? Perhaps there would be helpful information in DEBUG logs? |
I was able to do some more digging, and the root issue appears to be related to a misconfiguration of CORS at the nginx level. Here is what I've found. There is a difference in the request headers used by the frontend app when comparing the successful requests and non-successful request. The key seems to be that when requests made by the webapp set
with this failing request, which sets the
You can see the same behavior using curl. For example, try this script: #!/usr/bin/env bash
HEADERS=(
"-H 'Host: tethys-staging.byu.edu'"
"-H 'Connection: keep-alive'"
"-H 'Pragma: no-cache'"
"-H 'Cache-Control: no-cache'"
"-H 'sec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"'"
"-H 'sec-ch-ua-mobile: ?0' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36'"
"-H 'DNT: 1' -H 'Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8'"
"-H 'Sec-Fetch-Site: same-origin'"
"-H 'Sec-Fetch-Mode: cors'"
"-H 'Sec-Fetch-Dest: image'"
"-H 'Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24'"
"-H 'Accept-Encoding: gzip, deflate, br'"
"-H 'Accept-Language: en-US,en;q=0.9'"
"-H 'Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT'"
)
ORIGIN_HEADER_HTTP="-H \"Origin: http:https://tethys-staging.byu.edu\""
ORIGIN_HEADER_HTTPS="-H \"Origin: https://tethys-staging.byu.edu\""
URL="https://tethys-staging.byu.edu/thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc"
QUERY=(
"--data-urlencode \"service=WMS\""
"--data-urlencode \"request=GetMap\""
"--data-urlencode \"layers=lwe_thickness\""
"--data-urlencode \"styles=contour/grace\""
"--data-urlencode \"format=image/png\""
"--data-urlencode \"transparent=true\""
"--data-urlencode \"version=1.1.1\""
"--data-urlencode \"numcontours=20\""
"--data-urlencode \"colorscalerange=-25,25\""
"--data-urlencode \"time=2002-05-10T00:00:00.000Z\""
"--data-urlencode \"width=256\""
"--data-urlencode \"height=256\""
"--data-urlencode \"srs=EPSG:4326\""
"--data-urlencode \"bbox=0,0,22.5,21.94304553343818\""
)
echo ""
echo "##########"
echo "# SUCCESS #"
echo "##########"
echo ""
eval curl -G -v ${HEADERS[@]} $URL ${QUERY[@]}
echo ""
echo "##########"
echo "# SUCCESS #"
echo "##########"
echo ""
eval curl -G -v ${HEADERS[@]} ${ORIGIN_HEADER_HTTP} $URL ${QUERY[@]}
echo ""
echo "######"
echo "# FAIL #"
echo "######"
echo ""
eval curl -G -v ${HEADERS[@]} ${ORIGIN_HEADER_HTTPS} $URL ${QUERY[@]} Here is the output I see when I run this on my machine: ########
# GOOD #
########
* Trying 128.187.106.132...
* TCP_NODELAY set
* Connected to tethys-staging.byu.edu (128.187.106.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=tethys-staging.byu.edu
* start date: Feb 20 16:22:20 2021 GMT
* expire date: May 21 16:22:20 2021 GMT
* subjectAltName: host "tethys-staging.byu.edu" matched cert's "tethys-staging.byu.edu"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=0%2C0%2C22.5%2C21.94304553343818 HTTP/1.1
> Host: tethys-staging.byu.edu
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
> sec-ch-ua-mobile: ?0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
> DNT: 1
> Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: image
> Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
> Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT
>
< HTTP/1.1 200
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 08 Mar 2021 16:57:41 GMT
< Content-Type: image/png
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=0
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< vary: Origin
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 334)
* Failed writing data
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
########
# GOOD #
########
* Trying 128.187.106.132...
* TCP_NODELAY set
* Connected to tethys-staging.byu.edu (128.187.106.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=tethys-staging.byu.edu
* start date: Feb 20 16:22:20 2021 GMT
* expire date: May 21 16:22:20 2021 GMT
* subjectAltName: host "tethys-staging.byu.edu" matched cert's "tethys-staging.byu.edu"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=0%2C0%2C22.5%2C21.94304553343818 HTTP/1.1
> Host: tethys-staging.byu.edu
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
> sec-ch-ua-mobile: ?0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
> DNT: 1
> Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: image
> Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
> Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT
> Origin: http:https://tethys-staging.byu.edu
>
< HTTP/1.1 200
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 08 Mar 2021 16:57:41 GMT
< Content-Type: image/png
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=0
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< vary: Origin
< Access-Control-Allow-Origin: http:https://tethys-staging.byu.edu
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 334)
* Failed writing data
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
#######
# BAD #
#######
* Trying 128.187.106.132...
* TCP_NODELAY set
* Connected to tethys-staging.byu.edu (128.187.106.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=tethys-staging.byu.edu
* start date: Feb 20 16:22:20 2021 GMT
* expire date: May 21 16:22:20 2021 GMT
* subjectAltName: host "tethys-staging.byu.edu" matched cert's "tethys-staging.byu.edu"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=0%2C0%2C22.5%2C21.94304553343818 HTTP/1.1
> Host: tethys-staging.byu.edu
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
> sec-ch-ua-mobile: ?0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
> DNT: 1
> Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: image
> Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
> Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT
> Origin: https://tethys-staging.byu.edu
>
< HTTP/1.1 403
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 08 Mar 2021 16:57:41 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=0
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
* Connection #0 to host tethys-staging.byu.edu left intact I'm not familiar with Nginx, but that's where I would look to investigate the CORS settings that are causing the |
@lesserwhirls thank you for your help. You've been very gracious. It was indeed an issue with our nginx proxy configuration. We resolved it by stripping out the Origin header before sending it on to the thredds container. |
Regarding the initial issue, the solution to the contour rendering problem was to upgrade the Docker container to 4.6.15 or 4.6.16.1. |
We have an app deployed in two different systems that leverages the contouring feature of the WMS service provided by TDS. In one of the installations (call it Installation A) it functions as expected:
http:https://tethyswa.servirglobal.net/apps/newgrace/region/?region-select=14
In the other installation (Installation B), the contours and legend graphic requests are failing, but the boxfill image tiles are coming through fine:
https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=12
Installation A uses the 4.6.13 THREDDS Docker and can be accessed here: http:https://tethyswa.servirglobal.net:8383/thredds/catalog.html
Installation B uses the 4.6.14 THREDDS Docker and can be accessed here:
https://tethys-staging.byu.edu/thredds/catalog.html
Here are a few observations from inspecting the GetMap requests being sent to the THREDDS server by the app (Leaflet):
-The GetLegendGraphic request is also failing with an error:
Here is the threddsConfig.xml for site that is not working (Installation B):
Here's the catalog.xml for the non-working site (Installation B):
The text was updated successfully, but these errors were encountered: