Mimic nginx header config for Traefik in front of AWX

apiening · May 5, 2020, 4:34pm

I'm trying to use Traefik 2.0 as a reverse proxy in front of awx.
Here is the labels section of my docker-compose.yml:

      traefik.enable: true
      traefik.docker.network: "proxy"
      traefik.http.routers.ansible-awx.entrypoints: "http"
      traefik.http.routers.ansible-awx.rule: "Host(`hostname`)"
      traefik.http.middlewares.ansible-awx-https-redirect.redirectscheme.scheme: "https"
      traefik.http.routers.ansible-awx.middlewares: "ansible-awx-https-redirect"
      traefik.http.middlewares.awx-auth.basicauth.realm: "Ansible AWX"
      traefik.http.middlewares.awx-auth.basicauth.usersfile: "/awx.htpasswd"
      traefik.http.routers.ansible-awx-secure.entrypoints: "https"
      traefik.http.routers.ansible-awx-secure.rule: "Host(`hostname`)"
      traefik.http.routers.ansible-awx-secure.middlewares: "awx-auth"
      traefik.http.services.ansible-awx.loadbalancer.server.port: "8052"
      traefik.http.routers.ansible-awx-secure.tls: true
      traefik.http.routers.ansible-awx-secure.tls.certresolver: "http"

The config does work so far: The letsencrypt cert was deployed successfully and the login form of the service is reachable at the given url.
When I try to log in, I get this error on the JS console:

Error: "[$http:badreq] Http request configuration url must be a string or a $sce trusted object.  Received: undefined
https://errors.angularjs.org/1.7.9/$http/badreq?p0=undefined"

If I access the service directly over http the login works.
I found these configuration options in the nginx.conf example provided for AWX:

proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://10.5.5.20:8052/;

My expectation is, that I need to mimic some of these settings in my Traefik configuration to make it work. I don't fully understand the cause, but to me it looks like the callback of AWX fails because on of these headers are not set correctly.

Can someone provide me with a hint on how to adopt the required header configuration for Traefik?

apiening · May 5, 2020, 7:24pm

After further investigation, I found out that my assumption regarding the header configuration is wrong and misleading.
After commenting out the line

#traefik.http.routers.ansible-awx-secure.middlewares: "awx-auth"

and therefore disabling the basicauth middleware the login / websocket request worked perfectly fine.

The remaining question is: Is it possible to get websocket requests to work while basicauth is enabled?

apiening · May 8, 2020, 9:04pm

I stumbled upon a very interesting project authelia (https://github.com/authelia/authelia) which provides two factor authentication as a Traefik middleware.

This seems like a much better solution for my use case where I tried to add basic authentication to add additional protection for my endpoint.

The installation/setup was relatively easy due to good examples for the project and I'm perfectly happy with it.

Even if this is not really a solution to my initial issue, I'll mark this as a solution because my requirement is solved.

Topic		Replies	Views
Can this nginx config work with traefik? Traefik v2 docker-swarm	10	1414	April 16, 2021
Host, PathPrefix, regexredirect and stripprefix Traefik v2 docker , middleware	3	453	June 23, 2023
Change backend request hostname different with frontend Traefik v2 docker , middleware	0	1369	February 17, 2020
Traefik v2.1.4: X-Forwarded-For header doet not pass visitor IP when using IPv6 Traefik v2 docker , middleware	8	11860	January 5, 2022
Middlewares : questions and suggestions Traefik v2 middleware	5	783	October 3, 2019

Mimic nginx header config for Traefik in front of AWX

Related Topics