I’m experiencing issues with file uploads in my openBIS instance and would appreciate any guidance.
Setup:
openBIS version: 20.10.12
Deployment: Docker (using the official openbis/openbis-app:20.10.12 image)
Configuration: Using the standard docker-compose.yml and .env files provided by openBIS
Host OS: Ubuntu Server (latest version)
Network: Container exposed on ports 8080 and 8081
Problem: When attempting to upload files through the web interface, the upload fails without a clear error message (Error message: “Upload failed”). There are no error logs in the openBIS application server or datastore server logs.
Browser Console Error: The browser shows a failed HTTPS request to the datastore server:
Request URL: https://<server-ip>/datastore_server/session_workspace_file_upload?filename=...
Status: Failed to load response data
Additionally, there’s a 404 error:
http://<server-ip>:8080/openbis/resources/api/v3/dss/dto/service/id/CustomDssServiceCode.js
Status Code: 404 Not Found
Troubleshooting Already Done:
Fixed FQDN configuration: Changed OPENBIS_FQDN in openbis-app.env from local.openbis.ch to the actual server IP address.
Verified service.properties entries:
host-address = http://<server-ip> (in DSS config)
server-url = http://openbis-app:8080 (internal communication between AS and DSS)
download-url = http://<server-ip> (originally was https://)
Port accessibility: Port 8081 is accessible from external clients:
curl http://<server-ip>:8081/datastore_server/
# Returns: Error: Request URI '/datastore_server' expected to start with '/datastore_server/'
Internal AS↔DSS communication: Both curl tests work inside the container:
curl http://openbis-app:8080/openbis/ # Works
curl http://localhost:8080/openbis/ # Works
Port binding verification: Port 8080 is listening on all interfaces:
tcp6 0 0 :::8080 :::* LISTEN
Modified startup script: Changed the start-openbis.sh script to use http:// instead of https:// for download-url, but the browser still attempts HTTPS connections.
Why is the browser attempting HTTPS connections when download-url is configured to use HTTP?
Is there additional configuration needed in the web application itself to force HTTP for datastore uploads?
Is the 404 error for CustomDssServiceCode.js related to the upload failure, or is it a separate issue?
Should I be using a reverse proxy (nginx/traefik) with SSL termination for production deployments, or is there a way to make HTTP-only uploads work properly?
Hi Olli,
Seems like your configurations are correct in general.
I think you need a webserver with reverse-proxy facing the client to re-route the traffic to as (port 8080) and dss (port 8081).
My test setup uses an apache2 server deployed directly on the host with following config:
apache2/sites-available/vhosts.conf:
In this way, the traffic from client will route from port 443 to either AS or DSS by the webserver and you don’t have to worry about the internal addresses in the openbis-app container.
Thank you so much for your help! Your suggestion to use a reverse proxy was exactly what was needed to solve the problem.
Solution Summary:
I implemented an nginx reverse proxy as an additional Docker container (following the ingress pattern from the official documentation). This resolved all upload issues.
What was causing the problem:
The browser was attempting to make HTTPS requests directly to the datastore server on port 8081, but since openBIS was configured with download-url = https://<server-ip> without an actual HTTPS endpoint on that port, the connection failed silently. The internal communication between AS and DSS was also problematic because the server-url was pointing to external IPs instead of internal Docker hostnames.
Final working configuration:
Added nginx ingress container to docker-compose.yml:
Exposes only ports 80 (HTTP) and 443 (HTTPS) to the outside
Routes /openbis/ → Application Server (port 8080)
Routes /datastore_server/ → Datastore Server (port 8081)
Handles SSL termination at the proxy level
Removed direct port exposure for ports 8080 and 8081 from the openbis-app container (only exposed internally within the Docker network)
Set download-url = https://<server-ip> in both AS and DSS configurations
Set server-url = http://openbis-app:8080 in DSS configuration (for internal AS↔DSS communication using Docker service names)
Now all client requests go through the reverse proxy on port 443, and the proxy forwards them to the appropriate backend service. File uploads work perfectly!
As a workaround while debugging, I also successfully implemented the drop-box feature for server-side file ingestion, which bypasses the web upload mechanism entirely. This proved to be a useful alternative for batch uploads and automated workflows.
Thank you again for pointing me in the right direction with the reverse proxy suggestion. For anyone else experiencing similar issues: the key insight is that browser-based uploads require proper SSL termination and unified routing through a single HTTPS endpoint.
That is indeed the correct approach and I am aware openBIS is still not very clear to setup correctly for first time users. The configuration variables and descriptions are still in some places misleading but we are working to clarify more and more and conversation like this is very helpful to be aware where are obstacles.
I will just add few comments here as perhaps this thread might be useful for future.
we intentionally build everything with https and we will continue more into this direction with all obstacles about certificates, performance and extra layer. Encryption by default is our goal to improve security overall.
there should be never a case to modify start-openbis.sh script, we try to maintain this script very clearly written, obvious and simple. All configuration of openBIS should be finally supported by Docker Environment variables.
we will try to maintain very basic examples of configuration needed for deployment in openBIS Continous Delivery repository, we use it to continous deploy Docker containers of openBIS.
we are working on to provide also a docker container for reverse proxy and/or as an ingress for openBIS Application to make examples even simpler. It will be published in Docker Hub openbis/openbis-ingress - Docker Image