jpmens
(Jan-Piet Mens)
September 20, 2023, 4:32pm
1
Is it actually possible to place AWX behind a reverse proxy (of almost any kind) in such a way as that TLS terminates at the proxy and hands off to AWX on, say, port 80 at example.com/awx/
so that all AWX features including callbacks work?
If so, would you be willing to share your configuration?
1 Like
fosterseth
(Seth Foster)
September 20, 2023, 6:44pm
2
Hi!
There seems to an issue with AWX running from a non-root path, for example the /awx/ would likely cause issues with the way current AWX works
see these tickets
opened 01:33PM - 07 Apr 23 UTC
type:bug
component:api
component:ui
community
### Please confirm the following
- [X] I agree to follow this project's [code o… f conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
- [X] I have checked the [current issues](https://github.com/ansible/awx/issues) for duplicates.
- [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
### Bug Summary
It's a followup to #11342
While some things still not fixed like #12127, #12097 or #12241 new features are also not honoring non-root path installations like #13660 or #13423
### AWX version
22.0.0
### Select the relevant components
- [X] UI
- [X] API
- [ ] Docs
- [ ] Collection
- [ ] CLI
- [ ] Other
### Installation method
kubernetes
### Modifications
yes
### Ansible version
_No response_
### Operating system
_No response_
### Web browser
_No response_
### Steps to reproduce
deploy latest awx 22.0.0 with /awx ingress_path
### Expected results
all working
### Actual results
websocket, some links and api not working
### Additional information
_No response_
opened 09:01AM - 17 May 22 UTC
component:ui
community
### Please confirm the following
- [X] I agree to follow this project's [code o… f conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
- [X] I have checked the [current issues](https://github.com/ansible/awx/issues) for duplicates.
- [X] I understand that AWX is open source software provided for free and that I might not receive a timely response.
### Summary
Changes from #11342 and #652 are not full
### AWX version
21.0.0
### Select the relevant components
- [X] UI
- [ ] API
- [ ] Docs
### Installation method
kubernetes
### Modifications
no
### Ansible version
_No response_
### Operating system
_No response_
### Web browser
_No response_
### Steps to reproduce
Deploy AWX with custom `ingress_path: /awx`
### Expected results
websocket should work
### Actual results
`2022-05-17 08:46:41,031 ERROR [-] daphne.ws_protocol [Failure instance: Traceback: <class 'ValueError'>: No route found for path 'awx/websocket/'.
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/autobahn/websocket/protocol.py:2841:processHandshake
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/txaio/tx.py:366:as_future
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/twisted/internet/defer.py:151:maybeDeferred
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/daphne/ws_protocol.py:72:onConnect
--- <exception caught here> ---
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/twisted/internet/defer.py:151:maybeDeferred
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/daphne/server.py:201:create_application
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/routing.py:54:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/sessions.py:47:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/sessions.py:145:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/sessions.py:169:__init__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/middleware.py:31:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/routing.py:150:__call__
]
2022-05-17 08:46:41,031 ERROR [Failure instance: Traceback: <class 'ValueError'>: No route found for path 'awx/websocket/'.
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/autobahn/websocket/protocol.py:2841:processHandshake
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/txaio/tx.py:366:as_future
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/twisted/internet/defer.py:151:maybeDeferred
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/daphne/ws_protocol.py:72:onConnect
--- <exception caught here> ---
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/twisted/internet/defer.py:151:maybeDeferred
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/daphne/server.py:201:create_application
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/routing.py:54:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/sessions.py:47:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/sessions.py:145:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/sessions.py:169:__init__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/middleware.py:31:__call__
/var/lib/awx/venv/awx/lib64/python3.9/site-packages/channels/routing.py:150:__call__`
### Additional information
It seems that issue is in https://github.com/ansible/awx/blob/48b016802c517ff04d1cff4c43e64f17bb77a7a8/awx/main/routing.py
```
websocket_urlpatterns = [
re_path(r'websocket/$', consumers.EventConsumer),
re_path(r'websocket/broadcast/$', consumers.BroadcastConsumer),
]
```
From https://docs.djangoproject.com/en/4.0/ref/urls/:
When a route ends with $ the whole requested URL, matching against path_info, must match the regular expression pattern (re.fullmatch() is used).
Replacing with
```
websocket_urlpatterns = [
re_path(r'websocket/', consumers.EventConsumer),
re_path(r'websocket/broadcast/', consumers.BroadcastConsumer),
]
```
solves the issue
jpmens
(Jan-Piet Mens)
September 20, 2023, 8:08pm
3
Thank you, Seth. That’s a shame, but I assume we can hope it might be addressed at some point.
tonk
(Ton Kersten)
September 21, 2023, 5:53am
4
I almost have it running. The only thing that I cannot get to work is the Provisioning Callback
My AWX instance is on k3s, on a single node (just for training and testing purposes, no production)
I followed https://github.com/kurokobo/awx-on-k3s/blob/main/tips/troubleshooting.md#provisioning-callback-does-not-work , but that didn’t help.
awx.conf
server {
listen 80;
server_name awx.example.net;
return 301 https://awx.example.net$request_uri;
}
server {
listen 443 ssl;
server_name awx.example.net;
client_max_body_size 16G;
ssl_certificate /etc/tls/certificates/_.example.net.crt;
ssl_certificate_key /etc/tls/certificates/_.example.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /websocket/ {
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400;
proxy_redirect off;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on;
}
# Optional optimisation - please refer to
# http://nginx.org/en/docs/http/configuring_https_servers.html
# ssl_session_cache shared:SSL:10m;
location / {
proxy_pass https://localhost:8443;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
}
}
Traefik settings
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
hostNetwork: true
ports:
web:
exposedPort: 8080
websecure:
exposedPort: 8443
Remote Host Headers
[
"HTTP_TRUE_CLIENT_IP",
"HTTP_X_FORWARDED_FOR",
"REMOTE_ADDR",
"REMOTE_HOST"
]
2 Likes
jpmens
(Jan-Piet Mens)
September 21, 2023, 6:21am
5
I could paste kilometers of “almost have it running”
It’s the almost bit I’m worried about.
3 Likes
tonk
(Ton Kersten)
September 21, 2023, 6:26am
6
Totally agree, but this was my attempt until yesterday.
Today I got success.
I have added
proxy_set_header X-Original-Forwarded-For $remote_addr;
to the Nginx configuration and added "HTTP_X_ORIGINAL_FORWARDED_FOR",
to the Remote Host Headers .
5 Likes
gwmngilfen
(Greg Sutcliffe)
October 6, 2023, 8:59am
7
Can we mark this as solved @tonk ? Or are you looking for some input from the AWX team on this approach?
tonk
(Ton Kersten)
October 6, 2023, 9:14am
8
As far as I’m concerned this works, so I’m good.
@jpmens is the initial question asker, if he’s good as well then you can close it.
1 Like
gwmngilfen
(Greg Sutcliffe)
October 6, 2023, 9:15am
9
Oops, good catch, I’ll wait on that reply
1 Like
jpmens
(Jan-Piet Mens)
October 7, 2023, 1:27pm
10
How did you test, @tonk :
example.com/awx
or
awx.example.com
?
Ah, stupid question, sorry. You tested the 2nd.
tonk
(Ton Kersten)
October 7, 2023, 1:40pm
11
Indeed, the second one.
It doesn’t work when you add an extra path.
system
(system)
Closed
November 6, 2023, 1:40pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.