fix: updating path for httpd testing

[wphyojpl]

This is only a test.
No need to merge.
Just need a PR for CI to kick in.

[wphyojpl]

This is evolving from a test to a real PR.
We have a new endpoint misc/stac_entry. It is supposed to accept the header from UCS.
It will set the cookie and redirect to stac_browser.

UI/UX can hit stac_browser directly from iframe if they want to take care of the cookie part themselves.

I realized that no matter what, we still need a server.
Instead of an express server, we can use the same fast API.

If we really do need to run this from EC2 / ECS, we can create a different Fast API endpoints, and there is only minimal code change.

[wphyojpl]

This is getting complicated and long.
First of all: /sbx-uds-dapa is temporarily renamed to /data.

Adding this block in sites-available/unity-cs.conf will allow httpd to forward the requests. But there is an SSL error.
AH00898: Error during SSL Handshake with remote server returned by /data/misc/stac_entry, referer: https://unitysds.auth.us-west-2.amazoncognito.com/

    ProxyPass "/data/" "https://api.dev.mdps.mcp.nasa.gov/data/"
    ProxyPassReverse "/data/" "https://api.dev.mdps.mcp.nasa.gov/data/"

    #ProxyPass "/data/" "https://1gp9st60gd.execute-api.us-west-2.amazonaws.com/dev/data/"
    #ProxyPassReverse "/data/" "https://1gp9st60gd.execute-api.us-west-2.amazonaws.com/dev/data/"


    <Location /data>
       ProxyPreserveHost on
       AuthType openid-connect
       Require valid-user
    </Location>

There is no solution yet. But one possible cause maybe certificates of both unitysds.auth.us-west-2.amazoncognito.com and api.dev.mdps.mcp.nasa.gov are in TLS v1.3 while Cloudfront only has TLS v1.2.

Cloudfront does say it supports, but unsure about it.

So.. current route is EC2 (httpd) -> cloutfront -> Api Gateway -> lambda.

When switching to only EC2 (httpd) -> Api Gateway -> lambda, the api gateway stage becomes a blocker.

EC2 seems like an easier route.

[wphyojpl]

This is almost done.

• URL: https://www.dev.mdps.mcp.nasa.gov:4443/data/misc/stac_entry
• The above URL will redirect to login. After logged in, set the header token value into a cookie, and redirect to stac_browser page
• This is deployed using the same docker as "upload / download" image.
• There is a sample docker-compose file to get it running.
• It is deployed to EC2, and open up security rule to another EC2 where httpd is holding.
• httpd config is updated so that /data would redirect to the new EC2 where Fast API docker is running.

Remaining Tasks:

• cookie settings might be to relaxed. It should be stricter.
• it is currently running in http form. not https in docker.
• It is not ideal to run in EC2.
• Need to verify that the security practice is standard.

[wphyojpl]

Hi @ngachung

Added

• public endpoint on API Gateway listing actual catalog URL (It can be extended independently later)
• stac_browser expects a setting dictionary at startup to know the URL
• lambda / docker needs additional setting which points to the base URL of API Gateway (DAPA_API_URL_BASE: 'https://d3vc8w9zcq658.cloudfront.net/data')
• stac_browser will hit that URL to load the base catalog array.