Skip to content
This repository has been archived by the owner on Sep 1, 2022. It is now read-only.

WMS GetMap Request with style=contour Returns Error #1353

Closed
swainn opened this issue Feb 25, 2021 · 14 comments
Closed

WMS GetMap Request with style=contour Returns Error #1353

swainn opened this issue Feb 25, 2021 · 14 comments

Comments

@swainn
Copy link

swainn commented Feb 25, 2021

We have an app deployed in two different systems that leverages the contouring feature of the WMS service provided by TDS. In one of the installations (call it Installation A) it functions as expected:

http:https://tethyswa.servirglobal.net/apps/newgrace/region/?region-select=14

In the other installation (Installation B), the contours and legend graphic requests are failing, but the boxfill image tiles are coming through fine:

https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=12

Installation A uses the 4.6.13 THREDDS Docker and can be accessed here: http:https://tethyswa.servirglobal.net:8383/thredds/catalog.html

Installation B uses the 4.6.14 THREDDS Docker and can be accessed here:
https://tethys-staging.byu.edu/thredds/catalog.html

Here are a few observations from inspecting the GetMap requests being sent to the THREDDS server by the app (Leaflet):

Here is the threddsConfig.xml for site that is not working (Installation B):

<?xml version="1.0" encoding="UTF-8"?>
<threddsConfig>

  <!-- all options are commented out in standard install - meaning use default values -->
  <!-- see http:https://www.unidata.ucar.edu/projects/THREDDS/tech/reference/ThreddsConfigXMLFile.html -->
  <serverInformation>
    <name>THREDDS</name>
    <logoUrl>/thredds/threddsIcon.gif</logoUrl>
    <logoAltText>THREDDS</logoAltText>

    <abstract>Scientific Data</abstract>
    <keywords>meteorology, atmosphere, climate, ocean, earth science</keywords>

    <contact>
      <name>Support</name>
      <organization>My Group</organization>
      <email>[email protected]</email>
      <!--phone></phone-->
    </contact>
    <hostInstitution>
      <name>My Group</name>
      <webSite>http:https://www.my.site/</webSite>
      <logoUrl>myGroup.gif</logoUrl>
      <logoAltText>My Group</logoAltText>
    </hostInstitution>
  </serverInformation>

  <!--
  The <catalogRoot> element:
  For catalogs you don't want visible from the /thredds/catalog.xml chain
  of catalogs, you can use catalogRoot elements. Each catalog root config
  catalog is crawled and used in configuring the TDS.

  <catalogRoot>myExtraCatalog.xml</catalogRoot>
  <catalogRoot>myOtherExtraCatalog.xml</catalogRoot>
  -->

  <!--
   * Setup for generated HTML pages.
   *
   * NOTE: URLs may be absolute or relative, relative URLs must be relative
   * to the webapp URL, i.e., http:https://server:port/thredds/.
    -->
  <htmlSetup>
    <!--
     * CSS documents used in generated HTML pages.
     * The CSS document given in the "catalogCssUrl" element is used for all pages
     * that are HTML catalog views. The CSS document given in the "standardCssUrl"
     * element is used in all other generated HTML pages.
     * -->
    <standardCssUrl>tds.css</standardCssUrl>
    <catalogCssUrl>tdsCat.css</catalogCssUrl>
    <openDapCssUrl>tdsDap.css</openDapCssUrl>

    <!--
     * The Google Analytics Tracking code you would like to use for the
     * webpages associated with THREDDS. This will not track WMS or DAP
     * requests for data, only browsing the catalog.
    -->
    <googleTrackingCode></googleTrackingCode>

  </htmlSetup>

  <!--
    The <TdsUpdateConfig> element controls if and how the TDS checks
    for updates. The default is for the TDS to check for the current
    stable and development release versions, and to log that information
    in the TDS serverStartup.log file as INFO entries.

  <TdsUpdateConfig>
     <logVersionInfo>true</logVersionInfo>
  </TdsUpdateConfig>
  -->

  <!--
   The <CORS> element controls Cross-Origin Resource Sharing (CORS).
   CORS is a way to allow a website (such as THREDDS) to open up access
   to resources to web pages and applications running on a different domain.
   One example would be allowing a web-application to use fonts from
   a separate host. For TDS, this can allow a javascript app running on a
   different site to access data on a THREDDS server.
   For more information see: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
   The elements below represent defaults. Only the <enabled> tag is required
   to enable CORS. The default allowed origin is '*', which allows sharing
   to any domain.
  -->
  <CORS>
    <enabled>true</enabled>
    <maxAge>1728000</maxAge>
    <allowedMethods>GET</allowedMethods>
    <allowedHeaders>Authorization</allowedHeaders>
    <allowedOrigin>*</allowedOrigin>
  </CORS>

  <!--
   The <CatalogServices> element:
   - Services on local TDS served catalogs are always on.
   - Services on remote catalogs are set with the allowRemote element
   below. They are off by default (recommended).
   -->
  <CatalogServices>
    <allowRemote>false</allowRemote>
  </CatalogServices>

  <!--
  Configuring the CDM (netcdf-java library)
  see http:https://www.unidata.ucar.edu/software/netcdf-java/reference/RuntimeLoading.html

  <nj22Config>
    <ioServiceProvider class="edu.univ.ny.stuff.FooFiles"/>
    <coordSysBuilder convention="foo" class="test.Foo"/>
    <coordTransBuilder name="atmos_ln_sigma_coordinates" type="vertical" class="my.stuff.atmosSigmaLog"/>
    <typedDatasetFactory datatype="Point" class="gov.noaa.obscure.file.Flabulate"/>
  </nj22Config>
  -->

  <!--
  CDM uses the DiskCache directory to store temporary files, like uncompressed files.
  <DiskCache>
    <alwaysUse>false</alwaysUse>
    <scour>1 hour</scour>
    <maxSize>1 Gb</maxSize>
  </DiskCache>
  -->

  <!--
  Caching open NetcdfFile objects.
  default is to allow 50 - 100 open files, cleanup every 11 minutes
  <NetcdfFileCache>
    <minFiles>50</minFiles>
    <maxFiles>100</maxFiles>
    <scour>11 min</scour>
  </NetcdfFileCache>
  -->

  <!--
  The <HTTPFileCache> element:
  allow 10 - 20 open datasets, cleanup every 17 minutes
  used by HTTP Range requests.
  <HTTPFileCache>
    <minFiles>10</minFiles>
    <maxFiles>20</maxFiles>
    <scour>17 min</scour>
  </HTTPFileCache>
  -->

  <!--
  Writing GRIB indexes.
  <GribIndexing>
    <setExtendIndex>false</setExtendIndex>
    <alwaysUseCache>false</alwaysUseCache>
  </GribIndexing>
  -->

  <!--
  Persist joinNew aggregations to named directory. scour every 24 hours, delete stuff older than 90 days
  <AggregationCache>
    <scour>24 hours</scour>
    <maxAge>90 days</maxAge>
  </AggregationCache>
  -->

  <!--
  How to choose the template dataset for an aggregation. latest, random, or penultimate
  <Aggregation>
    <typicalDataset>penultimate</typicalDataset>
  </Aggregation>
  -->

  <!--
  The Netcdf Subset Service is off by default.
  -->
  <NetcdfSubsetService>
    <allow>true</allow>
    <scour>10 min</scour>
    <maxAge>-1 min</maxAge>
  </NetcdfSubsetService>


  <Opendap>
    <ascLimit>50</ascLimit>
    <binLimit>500</binLimit>
    <serverVersion>opendap/3.7</serverVersion>
  </Opendap>


  <!--
  The WCS Service is off by default.
  Also, off by default (and encouraged) is operating on a remote dataset.
  -->
  <WCS>
    <allow>true</allow>
    <allowRemote>false</allowRemote>
    <scour>15 min</scour>
    <maxAge>30 min</maxAge>
  </WCS>

  <WMS>
    <allow>true</allow>
    <allowRemote>true</allowRemote>
    <maxImageWidth>2048</maxImageWidth>
    <maxImageHeight>2048</maxImageHeight>
    <paletteLocationDir>/WEB-INF/palettes</paletteLocationDir>
  </WMS>

  <NCISO>
    <ncmlAllow>true</ncmlAllow>
    <uddcAllow>true</uddcAllow>
    <isoAllow>true</isoAllow>
  </NCISO>

  <!-- To enable ncSOS, uncomment and set to true
  <NCSOS>
    <allow>false</allow>
  </NCSOS>
  -->

  <!-- CatalogGen service is off by default.
  <CatalogGen>
    <allow>false</allow>
  </CatalogGen>
   -->

  <!-- DLwriter service is off by default.
       As is support for operating on remote catalogs.
  <DLwriter>
    <allow>false</allow>
    <allowRemote>false</allowRemote>
  </DLwriter>
   -->

  <!-- DqcService is off by default.
  <DqcService>
    <allow>false</allow>
  </DqcService>
   -->

  <!--
   Link to a Viewer application on the HTML page:
   <Viewer>my.package.MyViewer</Viewer>
   -->

   <!--
   Add a DataSource - essentially an IOSP with access to Servlet request parameters
   <datasetSource>my.package.DatsetSourceImpl</datasetSource>
   -->

  <!--
   set FeatureCollection logging
  <FeatureCollection>
     <RollingFileAppender>
       <MaxFileSize>1 MB</MaxFileSize>
       <MaxBackups>5</MaxBackups>
       <Level>INFO</Level>
     </RollingFileAppender>
  </FeatureCollection>
  -->


</threddsConfig>

Here's the catalog.xml for the non-working site (Installation B):

<?xml version="1.0" encoding="UTF-8"?>
<catalog name="THREDDS Server Default Catalog : You must change this to fit your server!"
         xmlns="http:https://www.unidata.ucar.edu/namespaces/thredds/InvCatalog/v1.0"
         xmlns:xlink="http:https://www.w3.org/1999/xlink"
         xmlns:xsi="http:https://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http:https://www.unidata.ucar.edu/namespaces/thredds/InvCatalog/v1.0
           http:https://www.unidata.ucar.edu/schemas/thredds/InvCatalog.1.0.6.xsd">

  <service name="all" base="" serviceType="compound">
    <service name="odap" serviceType="OpenDAP" base="/thredds/dodsC/" />
    <service name="dap4" serviceType="DAP4" base="/thredds/dap4/" />
    <service name="http" serviceType="HTTPServer" base="/thredds/fileServer/" />
    <service name="wcs" serviceType="WCS" base="/thredds/wcs/" />
    <service name="wms" serviceType="WMS" base="/thredds/wms/" />
    <service name="ncss" serviceType="NetcdfSubset" base="/thredds/ncss/" />
  </service>
  <service name="dap" serviceType="Compound" base="">
    <service name="odap" serviceType="OPENDAP" base="/thredds/dodsC/"/>
    <service name="dap4" serviceType="DAP4" base="/thredds/dap4/"/>
  </service>

  <datasetScan name="mounted thredds_data" ID="testDatasetScan"
               path="data" location="content/data">
    <metadata inherited="true">
      <serviceName>all</serviceName>
      <dataType>Grid</dataType>
    </metadata>

    <filter>
      <include wildcard="*.nc"/>
      <include wildcard="*.nc4"/>
      <include wildcard="*.ncml"/>
      <include wildcard="*.grb"/>
      <include wildcard="*.grib"/>
    </filter>
  </datasetScan>

  <catalogRef xlink:title="Test Enhanced Catalog" xlink:href="enhancedCatalog.xml" name=""/>
</catalog>
@lesserwhirls
Copy link
Collaborator

It does look like it's an issue with the contouring routine. Are there any stacktraces in the log files generated by either TDS? They might show up in the catalina.out log of Tomcat rather than one of the TDS log files.

@swainn
Copy link
Author

swainn commented Feb 25, 2021

None that I can see. Do I need to adjust the log level?

$ tail  *.2021-02-25.log
==> catalina.2021-02-25.log <==
25-Feb-2021 17:42:50.882 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 536 ms
25-Feb-2021 17:42:50.913 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
25-Feb-2021 17:42:50.914 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat
25-Feb-2021 17:42:50.917 SEVERE [Catalina-startStop-1] org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory for deployment: [/usr/local/tomcat/conf/Catalina/localhost]
25-Feb-2021 17:42:50.924 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/thredds]
25-Feb-2021 17:42:58.639 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
25-Feb-2021 17:43:00.983 INFO [localhost-startStop-1] org.hibernate.validator.internal.util.Version.<clinit> HV000001: Hibernate Validator 4.3.2.Final
25-Feb-2021 17:43:04.229 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/thredds] has finished in [13,305] ms
25-Feb-2021 17:43:04.234 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
25-Feb-2021 17:43:04.252 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 13369 ms

==> host-manager.2021-02-25.log <==

==> localhost.2021-02-25.log <==
25-Feb-2021 17:40:06.220 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log Initializing Spring FrameworkServlet 'root'
25-Feb-2021 17:40:06.420 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log Initializing Spring FrameworkServlet 'wms'
25-Feb-2021 17:42:48.025 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log Destroying Spring FrameworkServlet 'root'
25-Feb-2021 17:42:48.034 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log Destroying Spring FrameworkServlet 'wms'
25-Feb-2021 17:42:48.046 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log Closing Spring root WebApplicationContext
25-Feb-2021 17:42:48.681 INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log Shutting down log4j
25-Feb-2021 17:42:59.170 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log No Spring WebApplicationInitializer types detected on classpath
25-Feb-2021 17:42:59.203 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log Initializing Spring root WebApplicationContext
25-Feb-2021 17:43:03.865 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log Initializing Spring FrameworkServlet 'root'
25-Feb-2021 17:43:04.054 INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log Initializing Spring FrameworkServlet 'wms'

==> manager.2021-02-25.log <==

@lesserwhirls
Copy link
Collaborator

Hmmm...anything in the TDS log threddsServlet.log?

@swainn
Copy link
Author

swainn commented Feb 25, 2021

As a matter of fact there is:

2021-02-25T23:26:15.085 +0000 [  20604910][   43741] INFO  - threddsServlet - Remote host: 172.17.0.1 - Request: "GET /thredds/wms/data/grace/grace/utah/utah_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=-113.90625,37.71859032558816,-112.50000000000001,38.82259097617713 HTTP/1.0"
2021-02-25T23:26:15.122 +0000 [  20604947][   43741] ERROR - thredds.server.wms.ThreddsWmsController - dispatchWmsRequest(): Error:
java.lang.NoClassDefFoundError: Could not initialize class sun.awt.X11FontManager
        at java.lang.Class.forName0(Native Method) ~[?:1.8.0_242]
        at java.lang.Class.forName(Class.java:348) ~[?:1.8.0_242]
        at sun.font.FontManagerFactory$1.run(FontManagerFactory.java:82) ~[?:1.8.0_242]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_242]
        at sun.font.FontManagerFactory.getInstance(FontManagerFactory.java:74) ~[?:1.8.0_242]
        at java.awt.Font.getFont2D(Font.java:491) ~[?:1.8.0_242]
        at java.awt.Font.defaultLineMetrics(Font.java:2180) ~[?:1.8.0_242]
        at java.awt.Font.getLineMetrics(Font.java:2287) ~[?:1.8.0_242]
        at java.awt.font.TextLayout.fastInit(TextLayout.java:598) ~[?:1.8.0_242]
        at java.awt.font.TextLayout.<init>(TextLayout.java:393) ~[?:1.8.0_242]
        at gov.noaa.pmel.sgt.LabelDrawer2.computeFontSize(LabelDrawer2.java:463) ~[SGT_toolkit-3.0.jar:?]
        at gov.noaa.pmel.sgt.LabelDrawer2.getStringWidth(LabelDrawer2.java:537) ~[SGT_toolkit-3.0.jar:?]
        at gov.noaa.pmel.sgt.SGLabel.getStringWidth(SGLabel.java:560) ~[SGT_toolkit-3.0.jar:?]
        at gov.noaa.pmel.sgt.contour.Contour.generateContourLabels(Contour.java:598) ~[SGT_toolkit-3.0.jar:?]
        at gov.noaa.pmel.sgt.GridCartesianRenderer.draw(GridCartesianRenderer.java:369) ~[SGT_toolkit-3.0.jar:?]
        at uk.ac.rdg.resc.ncwms.graphics.ImageProducer.createContourImage(ImageProducer.java:357) ~[ncwms-1.2.tds.4.6.14.jar:1.2.tds.4.6.14]
        at uk.ac.rdg.resc.ncwms.graphics.ImageProducer.createImage(ImageProducer.java:212) ~[ncwms-1.2.tds.4.6.14.jar:1.2.tds.4.6.14]
        at uk.ac.rdg.resc.ncwms.graphics.ImageProducer.addFrame(ImageProducer.java:192) ~[ncwms-1.2.tds.4.6.14.jar:1.2.tds.4.6.14]
        at uk.ac.rdg.resc.ncwms.graphics.ImageProducer.addFrame(ImageProducer.java:167) ~[ncwms-1.2.tds.4.6.14.jar:1.2.tds.4.6.14]
        at uk.ac.rdg.resc.ncwms.controller.AbstractWmsController.getMap(AbstractWmsController.java:567) ~[ncwms-1.2.tds.4.6.14.jar:1.2.tds.4.6.14]
        at thredds.server.wms.ThreddsWmsController.dispatchWmsRequest(ThreddsWmsController.java:179) [classes/:4.6.14]
        at uk.ac.rdg.resc.ncwms.controller.AbstractWmsController.handleRequestInternal(AbstractWmsController.java:207) [ncwms-1.2.tds.4.6.14.jar:1.2.tds.4.6.14]
        at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:174) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:50) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:861) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) [servlet-api.jar:?]
        at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) [spring-webmvc-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) [servlet-api.jar:?]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at thredds.servlet.filter.RequestQueryFilter.doFilter(RequestQueryFilter.java:118) [classes/:4.6.14]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at org.apache.catalina.filters.CorsFilter.handleNonCORS(CorsFilter.java:364) [catalina.jar:8.5.51]
        at org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:170) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:126) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at thredds.servlet.filter.RequestCORSFilter.doFilterInternal(RequestCORSFilter.java:49) [classes/:4.6.14]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) [spring-web-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) [spring-web-4.3.20.RELEASE.jar:4.3.20.RELEASE]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at thredds.servlet.filter.RequestPathFilter.doFilter(RequestPathFilter.java:94) [classes/:4.6.14]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at thredds.server.RequestBracketingLogMessageFilter.doFilter(RequestBracketingLogMessageFilter.java:81) [classes/:4.6.14]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) [log4j-web-2.8.2.jar:2.8.2]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.51]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.51]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.51]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.51]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:543) [catalina.jar:8.5.51]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:8.5.51]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.51]
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688) [catalina.jar:8.5.51]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.51]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:8.5.51]
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:609) [tomcat-coyote.jar:8.5.51]
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:8.5.51]
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:818) [tomcat-coyote.jar:8.5.51]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1623) [tomcat-coyote.jar:8.5.51]
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.51]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_242]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_242]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.51]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]

@lesserwhirls
Copy link
Collaborator

This sounds a little similar to this issue:

Unidata/thredds-docker#234

I notice the 404 when doing a transect, which I believe uses the same kind of java 2d calls as the vertical profile (from the issue above) and contour requests. For example, this fails with the 404:

https://tethys-staging.byu.edu/thredds/wms/data/grace/grace/utah/utah_jpl_tot.nc?REQUEST=GetTransect&LAYER=lwe_thickness&CRS=EPSG:4326&ELEVATION=0&TIME=2019-06-16T00:00:00.000Z&LINESTRING=-113.5107421875%2040.93505859375,-110.654296875%2039.462890625,-110.56640625%2039.4189453125&FORMAT=image/png&COLORSCALERANGE=-50,50&NUMCOLORBANDS=20&LOGSCALE=false&PALETTE=rainbow&VERSION=1.1.1

The underlying issue at play in the thredds-docker issue above was related to a libz version mismatch (see Unidata/thredds-docker#234 (comment)). I'm pretty sure that was present in versions 4.6.14 and earlier of the docker container.

@swainn
Copy link
Author

swainn commented Feb 26, 2021

@lesserwhirls do you think upgrading to a newer version of the docker container would resolve this issue?

@lesserwhirls
Copy link
Collaborator

It's worth a try. 4.6.16 is the latest version of the TDS (release a few days ago). I think this issue was fixed in 4.6.15 version of the image, but there are images of both available.

@swainn
Copy link
Author

swainn commented Feb 26, 2021

I just upgraded it to 4.6.15. The legend is now rendering in the app and but the contours are not (https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24):

image

However, running one of the individual GetMap requests works fine:

https://tethys-staging.byu.edu/thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=33.75000000000001,-5.615985819155327,39.37500000000001,0

Any ideas what would cause this behavior?

@swainn
Copy link
Author

swainn commented Feb 26, 2021

Same behavior with 4.6.16.1 version of the docker btw.

@lesserwhirls
Copy link
Collaborator

So the issue we fixed by upgrading was producing a 500 error from the TDS. Based on the response header, we're now getting a 403, which means the server was able to understand the request, but it is refusing to fulfill it. The fact that you can make a direct request means that it's likely the 403 is getting generated somewhere along the connection between Nginx and Tomcat, but likely not at the TDS level. I would suggest looking into the Nginx and Tomcat logs to see if you can get any more information there. It could be something particular to the way your proxy is configured.

@swainn
Copy link
Author

swainn commented Mar 1, 2021
edited
Loading

@lesserwhirls the only thing I saw in the tomcat/nginx logs (/usr/local/tomcat/logs) was the request with result 403 being logged in the localhost_access_log:

I also inspected the threddsServlet.log and saw the 403 being logged at this level, though no errors reported:

2021-03-01T16:37:04.915 +0000 [ 315330378][  110154] INFO  - threddsServlet - Remote host: 172.17.0.1 - Request: "GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=67.50000000000001,-21.94304553343818,90,0 HTTP/1.0"
2021-03-01T16:37:04.915 +0000 [ 315330378][  110154] INFO  - threddsServlet - Request Completed - 403 - -1 - 0

Accessing that same endpoint in a new tab (outside of the web app) yields a 200 response:

2021-03-01T16:44:53.334 +0000 [ 315798797][  110203] INFO  - threddsServlet - Remote host: 172.17.0.1 - Request: "GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-04-16T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=22.5,0,45,21.94304553343818 HTTP/1.0"
2021-03-01T16:44:53.406 +0000 [ 315798869][  110203] INFO  - threddsServlet - Request Completed - 200 - -1 - 72

How do I configure the log level for the thredds server? Perhaps there would be helpful information in DEBUG logs?

@lesserwhirls
Copy link
Collaborator

I was able to do some more digging, and the root issue appears to be related to a misconfiguration of CORS at the nginx level. Here is what I've found. There is a difference in the request headers used by the frontend app when comparing the successful requests and non-successful request. The key seems to be that when requests made by the webapp set Origin in the header using the https: protocol fail, whereas the successful requests do not. For example, compare this successful request, in which the app does not set the value of the header:

GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=boxfill%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A3857&bbox=10018754.171394622,-2504688.542848655,12523442.714243278,0 HTTP/1.1
Host: tethys-staging.byu.edu
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
DNT: 1
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT

with this failing request, which sets the Origin header to https://tethys-staging.byu.edu:

GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=22.5,0,45,21.94304553343818 HTTP/1.1
Host: tethys-staging.byu.edu
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
Origin: https://tethys-staging.byu.edu
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
DNT: 1
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: image
Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT

You can see the same behavior using curl. For example, try this script:

#!/usr/bin/env bash

HEADERS=(
    "-H 'Host: tethys-staging.byu.edu'"
    "-H 'Connection: keep-alive'"
    "-H 'Pragma: no-cache'"
    "-H 'Cache-Control: no-cache'"
    "-H 'sec-ch-ua: \"Google Chrome\";v=\"89\", \"Chromium\";v=\"89\", \";Not A Brand\";v=\"99\"'"
    "-H 'sec-ch-ua-mobile: ?0' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36'"
    "-H 'DNT: 1' -H 'Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8'"
    "-H 'Sec-Fetch-Site: same-origin'"
    "-H 'Sec-Fetch-Mode: cors'"
    "-H 'Sec-Fetch-Dest: image'"
    "-H 'Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24'"
    "-H 'Accept-Encoding: gzip, deflate, br'"
    "-H 'Accept-Language: en-US,en;q=0.9'"
    "-H 'Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT'"
)

ORIGIN_HEADER_HTTP="-H \"Origin: http:https://tethys-staging.byu.edu\""
ORIGIN_HEADER_HTTPS="-H \"Origin: https://tethys-staging.byu.edu\""

URL="https://tethys-staging.byu.edu/thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc"

QUERY=(
    "--data-urlencode \"service=WMS\""
    "--data-urlencode \"request=GetMap\""
    "--data-urlencode \"layers=lwe_thickness\""
    "--data-urlencode \"styles=contour/grace\""
    "--data-urlencode \"format=image/png\""
    "--data-urlencode \"transparent=true\""
    "--data-urlencode \"version=1.1.1\""
    "--data-urlencode \"numcontours=20\""
    "--data-urlencode \"colorscalerange=-25,25\""
    "--data-urlencode \"time=2002-05-10T00:00:00.000Z\""
    "--data-urlencode \"width=256\""
    "--data-urlencode \"height=256\""
    "--data-urlencode \"srs=EPSG:4326\""
    "--data-urlencode \"bbox=0,0,22.5,21.94304553343818\""
)

echo ""
echo "##########"
echo "# SUCCESS #"
echo "##########"
echo ""
eval curl -G -v ${HEADERS[@]} $URL ${QUERY[@]}

echo ""
echo "##########"
echo "# SUCCESS #"
echo "##########"
echo ""
eval curl -G -v ${HEADERS[@]} ${ORIGIN_HEADER_HTTP} $URL ${QUERY[@]}

echo ""
echo "######"
echo "# FAIL #"
echo "######"
echo ""
eval curl -G -v ${HEADERS[@]} ${ORIGIN_HEADER_HTTPS} $URL ${QUERY[@]}

Here is the output I see when I run this on my machine:

########
# GOOD #
########

*   Trying 128.187.106.132...
* TCP_NODELAY set
* Connected to tethys-staging.byu.edu (128.187.106.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=tethys-staging.byu.edu
*  start date: Feb 20 16:22:20 2021 GMT
*  expire date: May 21 16:22:20 2021 GMT
*  subjectAltName: host "tethys-staging.byu.edu" matched cert's "tethys-staging.byu.edu"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=0%2C0%2C22.5%2C21.94304553343818 HTTP/1.1
> Host: tethys-staging.byu.edu
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
> sec-ch-ua-mobile: ?0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
> DNT: 1
> Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: image
> Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
> Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT
>
< HTTP/1.1 200
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 08 Mar 2021 16:57:41 GMT
< Content-Type: image/png
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=0
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< vary: Origin
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 334)
* Failed writing data
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):

########
# GOOD #
########

*   Trying 128.187.106.132...
* TCP_NODELAY set
* Connected to tethys-staging.byu.edu (128.187.106.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=tethys-staging.byu.edu
*  start date: Feb 20 16:22:20 2021 GMT
*  expire date: May 21 16:22:20 2021 GMT
*  subjectAltName: host "tethys-staging.byu.edu" matched cert's "tethys-staging.byu.edu"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=0%2C0%2C22.5%2C21.94304553343818 HTTP/1.1
> Host: tethys-staging.byu.edu
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
> sec-ch-ua-mobile: ?0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
> DNT: 1
> Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: image
> Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
> Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT
> Origin: http:https://tethys-staging.byu.edu
>
< HTTP/1.1 200
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 08 Mar 2021 16:57:41 GMT
< Content-Type: image/png
< Transfer-Encoding: chunked
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=0
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< vary: Origin
< Access-Control-Allow-Origin: http:https://tethys-staging.byu.edu
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 334)
* Failed writing data
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):

#######
# BAD #
#######

*   Trying 128.187.106.132...
* TCP_NODELAY set
* Connected to tethys-staging.byu.edu (128.187.106.132) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=tethys-staging.byu.edu
*  start date: Feb 20 16:22:20 2021 GMT
*  expire date: May 21 16:22:20 2021 GMT
*  subjectAltName: host "tethys-staging.byu.edu" matched cert's "tethys-staging.byu.edu"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /thredds/wms/data/grace/grace/kenya/kenya_csr_tot.nc?service=WMS&request=GetMap&layers=lwe_thickness&styles=contour%2Fgrace&format=image%2Fpng&transparent=true&version=1.1.1&numcontours=20&colorscalerange=-25%2C25&time=2002-05-10T00%3A00%3A00.000Z&width=256&height=256&srs=EPSG%3A4326&bbox=0%2C0%2C22.5%2C21.94304553343818 HTTP/1.1
> Host: tethys-staging.byu.edu
> Connection: keep-alive
> Pragma: no-cache
> Cache-Control: no-cache
> sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
> sec-ch-ua-mobile: ?0
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.72 Safari/537.36
> DNT: 1
> Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
> Sec-Fetch-Site: same-origin
> Sec-Fetch-Mode: cors
> Sec-Fetch-Dest: image
> Referer: https://tethys-staging.byu.edu/apps/newgrace/region/?region-select=24
> Accept-Encoding: gzip, deflate, br
> Accept-Language: en-US,en;q=0.9
> Cookie: JSESSIONID=21E07335DBD7A31871FECBA2C2E5513B; csrftoken=T0s9hQEuPkwJaAy6WsEq3hLvsK1X2u2SBufLXj95ZTC2QeOPnhM64UCYRdbncDoT
> Origin: https://tethys-staging.byu.edu
>
< HTTP/1.1 403
< Server: nginx/1.14.0 (Ubuntu)
< Date: Mon, 08 Mar 2021 16:57:41 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Access-Control-Allow-Origin: *
< Strict-Transport-Security: max-age=0
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
<
* Connection #0 to host tethys-staging.byu.edu left intact

I'm not familiar with Nginx, but that's where I would look to investigate the CORS settings that are causing the 403 response.

@swainn swainn mentioned this issue Mar 17, 2021
Closed
@swainn
Copy link
Author

swainn commented Mar 25, 2021

@lesserwhirls thank you for your help. You've been very gracious. It was indeed an issue with our nginx proxy configuration. We resolved it by stripping out the Origin header before sending it on to the thredds container.

@swainn swainn closed this as completed Mar 25, 2021
@swainn
Copy link
Author

swainn commented Mar 25, 2021

Same behavior with 4.6.16.1 version of the docker btw.

Regarding the initial issue, the solution to the contour rendering problem was to upgrade the Docker container to 4.6.15 or 4.6.16.1.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lesserwhirls @swainn