Can't get NGINX HTTPS reverse proxy to work with AWS

Archives AWX Project
,
1

Hello,

I set up a NGINX HTTPS reverse proxy to securely access AWX.
I can’t login : the UI says invalid username/password

Environment:

- AWX version: 9.1.1
  • AWX install method: docker on linux
  • Ansible version: 2.8.5
  • Operating System: Debian buster
  • Web Browser: Firefox 73.0.1
  • Nginx 1.14.2
    vhost configuration:

server {

listen 443 ssl http2;

server_name awx.lab-ansible;

access_log /var/log/nginx/awx.access.log;
error_log /var/log/nginx/awx.error.log;

location / {
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://127.0.0.1:8080/;
}

ssl on;
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
ssl_session_timeout 5m;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

}

The login is refused by the UI, “Invalid username and/or password. Please try again.”
HTTP response analysis says: “403 Forbidden, CSRF verification failed”

2

Hello,

I solved the problem, I’m giving the answer just in case someone else faces it :

AWX was accessed through this chain :

Client machine https://1.20.20.1:12143 → firewall, NAT 1.20.20.1:12143 to 192.168.2.1:443 → Nginx RP → 172.0.0.1:80

PAT makes it impossible to login.

I changed the chain to :
Client machine https://1.20.20.1:443 → firewall, NAT 1.20.20.1:443 to 192.168.2.1:443 → Nginx RP → 172.0.0.1:80

And it works.

I also tried whit the original chain, but adding proxy_set_header X-Forwarded-Port 12143 in NGINX config : doesn’t work.

Should I open a bug report in AWX for that ?