fix(hosting): don't strip /api at Traefik (fixes broken self-host redirects)#5005
Conversation
The API app is mounted at /api (SCRIPT_NAME=/api + FastAPI root_path), but the Traefik router also stripped /api via a stripprefix middleware. The app never saw /api, so its redirects dropped the prefix and became 308s to the wrong path behind a TLS proxy. Remove the strip; forward /api/* unchanged. Claude-Session: https://claude.ai/code/session_01STbkKsnAUZn5v9PiDRiSsY
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Agenta Team seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
|
This PR's fix (stop stripping `/api` at Traefik) was merged into `fix/broken-internal-urls` and shipped as part of #5059, now merged into `big-agents`. #5059 also adds `ApiPrefixStripMiddleware` at the API layer, so both prefix shapes (stripped or not) route correctly regardless of proxy topology, making this fix's Traefik-config change safe across dev, gh, and ALB deployments. Closing as merged via #5059. |
Problem
On self-hosted deploys, API endpoints intermittently return
308and the UI can get stuck (e.g. tool catalog, any no-trailing-slash request), especially behind a TLS-terminating proxy (Cloudflare, CDN, LB).Root cause
The app is mounted at
/api(SCRIPT_NAME=/api+ FastAPIroot_path="/api", and the auth middleware's_PUBLIC_ENDPOINTSlists both/xand/api/x), but Traefik also strips/apivia astripprefixmiddleware — double-accounting. The app therefore never sees/api; its trailing-slash redirects are built from the stripped path and drop/api(and use the wrong scheme behind a proxy) → Cloudflare upgrades to a 308 pointing at/…which hits the web app, not the API.Fix
Stop stripping
/api; forward/api/*unchanged. The app already handles the prefix; internal service→API calls use bare paths which remain matched by thePathPrefix(/api/)router rule. This also fixes auth-middleware checks that only match/api/....Removed from each
apiservice's Traefik labels (kept the router rule/entrypoint/service/port labels):Files changed
Only compose files whose
apiservice setsSCRIPT_NAME=/apiwere touched:hosting/docker-compose/oss/docker-compose.gh.ymlhosting/docker-compose/oss/docker-compose.gh.ssl.ymlhosting/docker-compose/oss/docker-compose.gh.local.ymlhosting/docker-compose/ee/docker-compose.gh.ymlhosting/docker-compose/ee/docker-compose.gh.local.ymlhosting/docker-compose/ee/docker-compose.dev.ymlhas the sameapi-strippattern but does not setSCRIPT_NAME=/api(noSCRIPT_NAMEin the service env or.env.ee.dev), so it was deliberately left untouched. If the dev image is in fact mounted at/apiby other means, it should get the same strip removal in a follow-up.Compatibility
Safe for all deployments — no route loses coverage (public endpoints are dual-listed; internal bare-path calls still match). Verified on a live self-host: with-slash 200; no-slash now redirects to the correct
/api/...path and resolves 200.https://claude.ai/code/session_01STbkKsnAUZn5v9PiDRiSsY