Windows Admin Center + Portainer as subdirectory

alexandzors · June 19, 2018, 2:31pm

So currently I have caddy running in my docker environment via the abiosoft/caddy docker image. So far I was able to get most of my services running as sub-directories. (Need to use sub directories, because I did not setup the docker image with the googlecloud dns plugin originally, so I don’t hit the LE limit.).

According to an issue I found on the portainer github, you can startup portainer with the environment variable “-e HTTP_proxy=” , “-e HTTPS_proxy=” flags. I have these both set to “/portainer.” Now when I navigate to mydomain.net/portainer I get this:

On portainer’s documentation page they have an nginx example config and was wondering how I would “clone” it for caddy to make this sub-directory work. I am a complete noob at this.

upstream portainer {
    server ADDRESS:PORT;
}

server {
  listen 80;

  location /portainer/ {
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      proxy_pass http://portainer/;
  }
  location /portainer/api/websocket/ {
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      proxy_pass http://portainer/api/websocket/;
  }
}

My current caddy config:

www.mydomain.net, mydomain.net {
        gzip
        proxy /tautulli 192.168.1.60:8181 { # Tautulli
                transparent
                }
        proxy /sonarr 192.168.1.60:8989 { # Sonarr
                transparent
                }
        proxy /radarr 192.168.1.60:7878 { # Radarr
                transparent
                }
        proxy /wac 192.168.1.66:8443 { # Windows Admin Center
                without /wac
                transparent
                insecure_skip_verify
                }
        proxy /portainer 192.168.1.60:9000 { # portainer
                transparent
                }
}

plex.mydomain.net { # Plex
        gzip
        timeouts none
        proxy / 192.168.1.55:32400 {
                transparent
                }
}

unms.mydomain.net { # Ubiquiti UNMS
        gzip
        proxy / https://192.168.1.60 {
                transparent
                insecure_skip_verify
                }
}

unifi.mydomain.net { # Ubiquiti Unifi
        gzip
        proxy / https://192.168.1.60:8443 {
                transparent
                insecure_skip_verify
                }
}

Now for Windows Admin Center I have no clue how to get that one working due to the fact there is like no documentation for it when it comes to reverse proxy support. So any help with this one would be greatly appreciated.

Edit: Portainer portion solved by @comp500:

This seems to be a bug in portainer (#609).
It may work if you add a slash to the end of the proxy directive, e.g. proxy /portainer/ 192.168.1.60:9000 { and proxy /portainer/api/websocket/ 192.168.1.60:9000 {

comp500 · June 19, 2018, 3:43pm

The HTTP_proxy and HTTPS_proxy flags in portainer are probably for forward proxies, so they won’t help reverse proxying using caddy.

You need to add the websocket preset to the proxy directive, so that it will pass the Connection and Upgrade headers.
For example:

proxy /portainer 192.168.1.60:9000 { # portainer
    transparent
    websocket
}

If that doesn’t work, you could try setting it only for /portainer/api/websocket/

proxy /portainer 192.168.1.60:9000 { # portainer
    transparent
}

proxy /portainer/api/websocket 192.168.1.60:9000 {
    transparent
    websocket
}

without /portainer may also be needed in each proxy directive, so that portainer doesn’t see that it’s in a subdirectory.

alexandzors · June 19, 2018, 4:28pm

I originally tried using websocket but never defined the api/websocket so Ill give that a try.

Actually had this in my config last night and removed it this morning while trying to test it. haha

Edit: @comp500 I just tried what you suggested and I am still getting the same result as the pic in the OP.

proxy /portainer 192.168.1.60:9000 {
        without /portainer
        transparent
        websocket
        }
proxy /portainer/api/websocket 192.168.1.60:9000 {
        without /portainer
        transparent
        websocket
        }
}

comp500 · June 19, 2018, 4:39pm

Remove websocket from the first directive. You could also try header_upstream -Connection in the first directive (as well as removing websocket) to completely remove the Connection header. Presumably, that’s why proxy_set_header Connection ""; is in the nginx configuration.

alexandzors · June 19, 2018, 4:43pm

Hmm even with that its still not working. Still getting the same as the picture lol.

proxy /portainer 192.168.1.60:9000 {
        without /portainer
        transparent
        header_upstream -Connection
        }
proxy /portainer/api/websocket 192.168.1.60:9000 {
        without /portainer
        transparent
        websocket
        }

alexandzors · June 19, 2018, 4:49pm

@comp500 not sure if this helps but this is what Edge shows in the debug console when trying to load /portainer

EDIT: Okay so it works if I do mydomain. net/portainer /

comp500 · June 19, 2018, 4:54pm

This seems to be a bug in portainer (#609).
It may work if you add a slash to the end of the proxy directive, e.g. proxy /portainer/ 192.168.1.60:9000 { and proxy /portainer/api/websocket/ 192.168.1.60:9000 {

alexandzors · June 19, 2018, 5:00pm

Yeah the extra / worked! Thanks!

Now to figure out why Windows Admin Center is not working

comp500 · June 19, 2018, 5:04pm

I don’t think Windows Admin Center will work well with Caddy, as it seems to require a client certificate. Using a reverse proxy like Caddy may require you to reconfigure WAC to ignore client certificates, or to install a different certificate in your browser.

alexandzors · June 19, 2018, 5:06pm

Hmm I wonder if I can even set it to ignore client certificates. Right now its just running with a self signed cert. I guess I will look into that when I get home.

alexandzors · June 20, 2018, 1:48am

Hey @comp500 I was playing around with stuff to get Windows Admin Center to work and was able to successfully get the login window (browser popup) to work. Though when I login I get a 502 Bad Gateway error.

Caddy Config:

proxy /wac/ https://192.168.1.47:8443 {
        without /wac/
        transparent
        insecure_skip_verify
        }

subdomain.mydomain.net {
        gzip
        proxy / https://192.168.1.47:8443 {
                transparent
                insecure_skip_verify
                }

Chrome Console when using /wac/:

Chrome console when setup using a subdomain:

system · September 18, 2018, 1:48am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

matt · November 5, 2019, 8:22pm

@alexandzors @comp500

Just updating this thread real quick to bring some closure.

I did finally reverse proxy WAC successfully (it requires that keep-alive is not disabled, and that HTTP/2 is disabled). The hardest part was getting the NTLM authentication to proxy successfully, as it violates HTTP’s conventions of being stateless.

I am not sure what negative side-effects or implications my implementation has, but it works! It effectively does what nginx’s commercial ntlm module does: Module ngx_http_upstream_module

I have a lot of code cleanup to do but will be pushing it once it’s looking good.

More info in this thread: Doesn't work when reverse proxy Windows Admin Center - #41 by matt