Is it actually possible to place AWX behind a reverse proxy (of almost any kind) in such a way as that TLS terminates at the proxy and hands off to AWX on, say, port 80 at example.com/awx/ so that all AWX features including callbacks work?
If so, would you be willing to share your configuration?
Hi!
There seems to an issue with AWX running from a non-root path, for example the /awx/ would likely cause issues with the way current AWX works
see these tickets
Thank you, Seth. That’s a shame, but I assume we can hope it might be addressed at some point.
I almost have it running. The only thing that I cannot get to work is the Provisioning Callback
My AWX instance is on k3s, on a single node (just for training and testing purposes, no production)
I followed https://github.com/kurokobo/awx-on-k3s/blob/main/tips/troubleshooting.md#provisioning-callback-does-not-work, but that didn’t help.
awx.conf
server {
listen 80;
server_name awx.example.net;
return 301 https://awx.example.net$request_uri;
}
server {
listen 443 ssl;
server_name awx.example.net;
client_max_body_size 16G;
ssl_certificate /etc/tls/certificates/_.example.net.crt;
ssl_certificate_key /etc/tls/certificates/_.example.net.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /websocket/ {
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400;
proxy_redirect off;
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on;
}
# Optional optimisation - please refer to
# http://nginx.org/en/docs/http/configuring_https_servers.html
# ssl_session_cache shared:SSL:10m;
location / {
proxy_pass https://localhost:8443;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
}
}
Traefik settings
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
hostNetwork: true
ports:
web:
exposedPort: 8080
websecure:
exposedPort: 8443
Remote Host Headers
[
"HTTP_TRUE_CLIENT_IP",
"HTTP_X_FORWARDED_FOR",
"REMOTE_ADDR",
"REMOTE_HOST"
]
I could paste kilometers of “almost have it running” 
It’s the almost bit I’m worried about.
Totally agree, but this was my attempt until yesterday.
Today I got success.
I have added
proxy_set_header X-Original-Forwarded-For $remote_addr;
to the Nginx configuration and added "HTTP_X_ORIGINAL_FORWARDED_FOR",
to the Remote Host Headers.
Can we mark this as solved @tonk? Or are you looking for some input from the AWX team on this approach?
As far as I’m concerned this works, so I’m good.
@jpmens is the initial question asker, if he’s good as well then you can close it.
Oops, good catch, I’ll wait on that reply 
How did you test, @tonk:
example.com/awx orawx.example.com ?Ah, stupid question, sorry. You tested the 2nd.
Indeed, the second one.
It doesn’t work when you add an extra path.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.