csrf Forbidden on install behind nginx reverse proxy

Thank you for looking at this.

I am very new to kubes and awx. I Installed awx-operator from devel branch.
When I go to log in now, I get a error “Error logging in.”

kubectl logs -f deployments/awx-web -c awx-web

0.244.0.1 - - [19/May/2023:15:40:50 +0000] “GET /api/login/ HTTP/1.0” 200 5710 “https://awx.myserver.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36” “-”
[pid: 37|app: 0|req: 23/114] 10.244.0.1 () {64 vars in 1320 bytes} [Fri May 19 15:40:50 2023] GET /api/login/ => generated 5710 bytes in 176 msecs (HTTP/1.0 200) 10 headers in 460 bytes (1 switches on core 0)
2023-05-19 15:40:50,493 WARNING [0652b6c133e642d58498550ce562ebd3] django.security.csrf Forbidden (Origin checking failed - https://awx.myserver.com does not match any trusted origins.): /api/login/
[pid: 37|app: 0|req: 24/115] 10.244.0.1 () {70 vars in 1475 bytes} [Fri May 19 15:40:50 2023] POST /api/login/ => generated 1019 bytes in 51 msecs (HTTP/1.0 403) 7 headers in 276 bytes (1 switches on core 0)
10.244.0.1 - - [19/May/2023:15:40:50 +0000] “POST /api/login/ HTTP/1.0” 403 1019 “https://awx.myserver.com/” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36” “-”

I made a new user with password with “kubectl exec awx-operator-controller-manager-845fcfddfd-lm5kc – --container -it awx-manage createsuperuser”

awx-operator 2.2.1.
awx.yml —
apiVersion: awx.ansible.com/v1beta1
kind: AWX
metadata:
name: awx
spec:
ingress_type: ingress
hostname: awx.myserver.com
csrf_cookie_secure: ‘False’
service_type: nodeport

On the host, nginx reverse proxy is installed with a certbot cert for awx.myserver.com.

Can you help me with the reverse proxy setup? I’m sure it’s some easy TLS thing, but I can’t seem to get it right because of my unfamiliarity with the project.

there is a known issue around this. You might fix this by adding your proxy server name to the CSRF_TRUSTED_ORIGINS, e.g.

CSRF_TRUSTED_ORIGINS = [‘https://awx.myserver.com’]

I tried passing that into extra_settings via the operator but couldn’t figure out the write way to get it to render correctly

We plan to add this as a setting in the API

where do I add it?

it is a django setting

generally the way to pass it is through the extra_settings on the AWX spec https://github.com/ansible/awx-operator#extra-settings

but because this list of strings it is tricky to get the exact syntax right

okay you can it via extra settings like this

extra_settings:

• setting: CSRF_TRUSTED_ORIGINS
  value:
• https://localhost:3001

give that a shot

Sadly, I’ve tried every way I can to add CSRF_TRUSTED_ORIGINS and can’t seem to get django to NOT error in this way. I don’t want awx-operator to handle my nginx. I have my own reverse proxy.

I also get django.request Not Found: /.well-known/acme-challenge/A0DTIVLvld2sTIgGjhtOWfc4iIltKus2HYY-rRTsZH8 errors.

can’t seem to get django to NOT error in this way

what errors are you seeing?

here are some other users with the same problem, it seems passing the CSRF_TRUSTED_ORIGINS helped in their case
https://github.com/ansible/awx/issues/14024#issuecomment-1557919352