Is AWX behind a reverse proxy actually possible?

Is it actually possible to place AWX behind a reverse proxy (of almost any kind) in such a way as that TLS terminates at the proxy and hands off to AWX on, say, port 80 at example.com/awx/ so that all AWX features including callbacks work?

If so, would you be willing to share your configuration?

1 Like

Hi!

There seems to an issue with AWX running from a non-root path, for example the /awx/ would likely cause issues with the way current AWX works

see these tickets

Thank you, Seth. That’s a shame, but I assume we can hope it might be addressed at some point.

I almost have it running. The only thing that I cannot get to work is the Provisioning Callback

My AWX instance is on k3s, on a single node (just for training and testing purposes, no production)

I followed https://github.com/kurokobo/awx-on-k3s/blob/main/tips/troubleshooting.md#provisioning-callback-does-not-work, but that didn’t help.

awx.conf

server {                                            
        listen 80;                                  
        server_name                                     awx.example.net;
                                                                     
        return                                          301 https://awx.example.net$request_uri;
}
                                                                     
server {                                                                                                                                  
        listen                                          443 ssl;
        server_name                                     awx.example.net;
                                                                                                                                          
        client_max_body_size            16G;                    
                                                                                                                                          
        ssl_certificate                         /etc/tls/certificates/_.example.net.crt;
        ssl_certificate_key                     /etc/tls/certificates/_.example.net.key;   
        ssl_session_timeout                     5m;                                                                                       
        ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers                                     HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers       on;                                                                                               
                                                                     
                                                                     
        location /websocket/ {
                proxy_pass                              https://localhost:8443;
                proxy_http_version              1.1;
                proxy_buffering                 off;
                proxy_set_header                Connection "upgrade";
                proxy_set_header                Upgrade $http_upgrade;
                proxy_set_header                Host $http_host;
                proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header                X-Forwarded-Proto https;
                proxy_set_header                X-Real-IP $remote_addr;
                proxy_read_timeout              86400;
                proxy_redirect                  off;
                proxy_ssl_verify                off;
                proxy_ssl_session_reuse on;
                proxy_ssl_server_name   on;
        } 
                                                                     
        # Optional optimisation - please refer to
        # http://nginx.org/en/docs/http/configuring_https_servers.html
        # ssl_session_cache                     shared:SSL:10m;
        location / {
                proxy_pass                              https://localhost:8443;
                proxy_set_header                Host $http_host;
                proxy_set_header                X-Forwarded-Host $host;
                proxy_set_header                X-Forwarded-Server $host;
                proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header                X-Real-IP $remote_addr;
                proxy_redirect                  off;
                proxy_set_header                Connection "upgrade";
                proxy_set_header                Upgrade $http_upgrade;
        }
}                  

Traefik settings

---                                                                                                                                       
apiVersion: helm.cattle.io/v1                                   
kind: HelmChartConfig                                                                                                                     
metadata:                                                                                                                                 
  name: traefik                                                                                                                           
  namespace: kube-system                              
spec:                                               
  valuesContent: |-                                 
    hostNetwork: true                      
    ports:                                 
      web:
        exposedPort: 8080                                            
      websecure:                                 
        exposedPort: 8443                                                                                                                 

Remote Host Headers

[                                                                                                                                         
  "HTTP_TRUE_CLIENT_IP",                                                                                                                  
  "HTTP_X_FORWARDED_FOR",                                                                                                                 
  "REMOTE_ADDR",                                    
  "REMOTE_HOST"                                                      
]                                                                                                                                         
2 Likes

I could paste kilometers of “almost have it running” :stuck_out_tongue_winking_eye:

It’s the almost bit I’m worried about.

3 Likes

Totally agree, but this was my attempt until yesterday.

Today I got success.

I have added

proxy_set_header                X-Original-Forwarded-For $remote_addr;

to the Nginx configuration and added "HTTP_X_ORIGINAL_FORWARDED_FOR",
to the Remote Host Headers.

5 Likes

Can we mark this as solved @tonk? Or are you looking for some input from the AWX team on this approach?

As far as I’m concerned this works, so I’m good.
@jpmens is the initial question asker, if he’s good as well then you can close it.

1 Like

Oops, good catch, I’ll wait on that reply :wink:

1 Like

How did you test, @tonk:

  1. example.com/awx or
  2. awx.example.com ?

Ah, stupid question, sorry. You tested the 2nd.

Indeed, the second one.
It doesn’t work when you add an extra path.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.