Is it actually possible to place AWX behind a reverse proxy (of almost any kind) in such a way as that TLS terminates at the proxy and hands off to AWX on, say, port 80 at example.com/awx/ so that all AWX features including callbacks work?
If so, would you be willing to share your configuration?
Hi!
There seems to an issue with AWX running from a non-root path, for example the /awx/ would likely cause issues with the way current AWX works
see these tickets
Thank you, Seth. That’s a shame, but I assume we can hope it might be addressed at some point.
I almost have it running. The only thing that I cannot get to work is the Provisioning Callback
My AWX instance is on k3s, on a single node (just for training and testing purposes, no production)
I followed https://github.com/kurokobo/awx-on-k3s/blob/main/tips/troubleshooting.md#provisioning-callback-does-not-work, but that didn’t help.
awx.conf
server {
listen 80;
server_name awx.example.net;
return 301 https://awx.example.net$request_uri;
}
server {
listen 443 ssl;
server_name awx.example.net;
client_max_body_size 16G;
ssl_certificate /etc/tls/certificates/_.example.net.crt;
ssl_certificate_key /etc/tls/certificates/_.example.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /websocket/ {
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400;
proxy_redirect off;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on;
}
# Optional optimisation - please refer to
# http://nginx.org/en/docs/http/configuring_https_servers.html
# ssl_session_cache shared:SSL:10m;
location / {
proxy_pass https://localhost:8443;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
}
}
Traefik settings
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
hostNetwork: true
ports:
web:
exposedPort: 8080
websecure:
exposedPort: 8443
Remote Host Headers
[
"HTTP_TRUE_CLIENT_IP",
"HTTP_X_FORWARDED_FOR",
"REMOTE_ADDR",
"REMOTE_HOST"
]
I could paste kilometers of “almost have it running” 
It’s the almost bit I’m worried about.
Totally agree, but this was my attempt until yesterday.
Today I got success.
I have added
proxy_set_header X-Original-Forwarded-For $remote_addr;
to the Nginx configuration and added "HTTP_X_ORIGINAL_FORWARDED_FOR",
to the Remote Host Headers.
Can we mark this as solved @tonk? Or are you looking for some input from the AWX team on this approach?
As far as I’m concerned this works, so I’m good.
@jpmens is the initial question asker, if he’s good as well then you can close it.
Oops, good catch, I’ll wait on that reply 
How did you test, @tonk:
example.com/awx orawx.example.com ?Ah, stupid question, sorry. You tested the 2nd.
Indeed, the second one.
It doesn’t work when you add an extra path.