Windows Admin Center + Portainer as subdirectory


(Alexander Henderson) #1

So currently I have caddy running in my docker environment via the abiosoft/caddy docker image. So far I was able to get most of my services running as sub-directories. (Need to use sub directories, because I did not setup the docker image with the googlecloud dns plugin originally, so I don’t hit the LE limit.).

According to an issue I found on the portainer github, you can startup portainer with the environment variable “-e HTTP_proxy=” , “-e HTTPS_proxy=” flags. I have these both set to “/portainer.” Now when I navigate to mydomain.net/portainer I get this:

On portainer’s documentation page they have an nginx example config and was wondering how I would “clone” it for caddy to make this sub-directory work. I am a complete noob at this.

upstream portainer {
    server ADDRESS:PORT;
}

server {
  listen 80;

  location /portainer/ {
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      proxy_pass http://portainer/;
  }
  location /portainer/api/websocket/ {
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_http_version 1.1;
      proxy_pass http://portainer/api/websocket/;
  }
}

My current caddy config:

www.mydomain.net, mydomain.net {
        gzip
        proxy /tautulli 192.168.1.60:8181 { # Tautulli
                transparent
                }
        proxy /sonarr 192.168.1.60:8989 { # Sonarr
                transparent
                }
        proxy /radarr 192.168.1.60:7878 { # Radarr
                transparent
                }
        proxy /wac 192.168.1.66:8443 { # Windows Admin Center
                without /wac
                transparent
                insecure_skip_verify
                }
        proxy /portainer 192.168.1.60:9000 { # portainer
                transparent
                }
}

plex.mydomain.net { # Plex
        gzip
        timeouts none
        proxy / 192.168.1.55:32400 {
                transparent
                }
}

unms.mydomain.net { # Ubiquiti UNMS
        gzip
        proxy / https://192.168.1.60 {
                transparent
                insecure_skip_verify
                }
}

unifi.mydomain.net { # Ubiquiti Unifi
        gzip
        proxy / https://192.168.1.60:8443 {
                transparent
                insecure_skip_verify
                }
}

Now for Windows Admin Center I have no clue how to get that one working due to the fact there is like no documentation for it when it comes to reverse proxy support. So any help with this one would be greatly appreciated.

Edit: Portainer portion solved by @comp500:

This seems to be a bug in portainer (#609).
It may work if you add a slash to the end of the proxy directive, e.g. proxy /portainer/ 192.168.1.60:9000 { and proxy /portainer/api/websocket/ 192.168.1.60:9000 {


(comp500) #3

The HTTP_proxy and HTTPS_proxy flags in portainer are probably for forward proxies, so they won’t help reverse proxying using caddy.

You need to add the websocket preset to the proxy directive, so that it will pass the Connection and Upgrade headers.
For example:

proxy /portainer 192.168.1.60:9000 { # portainer
    transparent
    websocket
}

If that doesn’t work, you could try setting it only for /portainer/api/websocket/

proxy /portainer 192.168.1.60:9000 { # portainer
    transparent
}

proxy /portainer/api/websocket 192.168.1.60:9000 {
    transparent
    websocket
}

without /portainer may also be needed in each proxy directive, so that portainer doesn’t see that it’s in a subdirectory.


(Alexander Henderson) #4

I originally tried using websocket but never defined the api/websocket so Ill give that a try.

Actually had this in my config last night and removed it this morning while trying to test it. haha

Edit: @comp500 I just tried what you suggested and I am still getting the same result as the pic in the OP.

proxy /portainer 192.168.1.60:9000 {
        without /portainer
        transparent
        websocket
        }
proxy /portainer/api/websocket 192.168.1.60:9000 {
        without /portainer
        transparent
        websocket
        }
}

(comp500) #5

Remove websocket from the first directive. You could also try header_upstream -Connection in the first directive (as well as removing websocket) to completely remove the Connection header. Presumably, that’s why proxy_set_header Connection ""; is in the nginx configuration.


(Alexander Henderson) #6

Hmm even with that its still not working. Still getting the same as the picture lol.

proxy /portainer 192.168.1.60:9000 {
        without /portainer
        transparent
        header_upstream -Connection
        }
proxy /portainer/api/websocket 192.168.1.60:9000 {
        without /portainer
        transparent
        websocket
        }

(Alexander Henderson) #7

@comp500 not sure if this helps but this is what Edge shows in the debug console when trying to load /portainer

EDIT: Okay so it works if I do mydomain. net/portainer /


(comp500) #8

This seems to be a bug in portainer (#609).
It may work if you add a slash to the end of the proxy directive, e.g. proxy /portainer/ 192.168.1.60:9000 { and proxy /portainer/api/websocket/ 192.168.1.60:9000 {


(Alexander Henderson) #9

Yeah the extra / worked! :smiley: Thanks!

Now to figure out why Windows Admin Center is not working


(comp500) #10

I don’t think Windows Admin Center will work well with Caddy, as it seems to require a client certificate. Using a reverse proxy like Caddy may require you to reconfigure WAC to ignore client certificates, or to install a different certificate in your browser.


(Alexander Henderson) #11

Hmm I wonder if I can even set it to ignore client certificates. Right now its just running with a self signed cert. I guess I will look into that when I get home.


(Alexander Henderson) #12

Hey @comp500 I was playing around with stuff to get Windows Admin Center to work and was able to successfully get the login window (browser popup) to work. Though when I login I get a 502 Bad Gateway error.

Caddy Config:

proxy /wac/ https://192.168.1.47:8443 {
        without /wac/
        transparent
        insecure_skip_verify
        }

subdomain.mydomain.net {
        gzip
        proxy / https://192.168.1.47:8443 {
                transparent
                insecure_skip_verify
                }

Chrome Console when using /wac/:

image

Chrome console when setup using a subdomain:

image


(system) #13

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.