Skip to content

fix(hosting): don't strip /api at Traefik (fixes broken self-host redirects)#5005

Merged
junaway merged 1 commit into
big-agentsfrom
fix/self-host-traefik-api-double-prefix
Jul 3, 2026
Merged

fix(hosting): don't strip /api at Traefik (fixes broken self-host redirects)#5005
junaway merged 1 commit into
big-agentsfrom
fix/self-host-traefik-api-double-prefix

Conversation

@mmabrouk

@mmabrouk mmabrouk commented Jul 1, 2026

Copy link
Copy Markdown
Member

Problem

On self-hosted deploys, API endpoints intermittently return 308 and the UI can get stuck (e.g. tool catalog, any no-trailing-slash request), especially behind a TLS-terminating proxy (Cloudflare, CDN, LB).

Root cause

The app is mounted at /api (SCRIPT_NAME=/api + FastAPI root_path="/api", and the auth middleware's _PUBLIC_ENDPOINTS lists both /x and /api/x), but Traefik also strips /api via a stripprefix middleware — double-accounting. The app therefore never sees /api; its trailing-slash redirects are built from the stripped path and drop /api (and use the wrong scheme behind a proxy) → Cloudflare upgrades to a 308 pointing at /… which hits the web app, not the API.

Fix

Stop stripping /api; forward /api/* unchanged. The app already handles the prefix; internal service→API calls use bare paths which remain matched by the PathPrefix(/api/) router rule. This also fixes auth-middleware checks that only match /api/....

Removed from each api service's Traefik labels (kept the router rule/entrypoint/service/port labels):

- "traefik.http.middlewares.api-strip.stripprefix.prefixes=/api"
- "traefik.http.middlewares.api-strip.stripprefix.forceslash=true"
- "traefik.http.routers.api.middlewares=api-strip"

Files changed

Only compose files whose api service sets SCRIPT_NAME=/api were touched:

  • hosting/docker-compose/oss/docker-compose.gh.yml
  • hosting/docker-compose/oss/docker-compose.gh.ssl.yml
  • hosting/docker-compose/oss/docker-compose.gh.local.yml
  • hosting/docker-compose/ee/docker-compose.gh.yml
  • hosting/docker-compose/ee/docker-compose.gh.local.yml

hosting/docker-compose/ee/docker-compose.dev.yml has the same api-strip pattern but does not set SCRIPT_NAME=/api (no SCRIPT_NAME in the service env or .env.ee.dev), so it was deliberately left untouched. If the dev image is in fact mounted at /api by other means, it should get the same strip removal in a follow-up.

Compatibility

Safe for all deployments — no route loses coverage (public endpoints are dual-listed; internal bare-path calls still match). Verified on a live self-host: with-slash 200; no-slash now redirects to the correct /api/... path and resolves 200.

https://claude.ai/code/session_01STbkKsnAUZn5v9PiDRiSsY

The API app is mounted at /api (SCRIPT_NAME=/api + FastAPI root_path), but
the Traefik router also stripped /api via a stripprefix middleware. The app
never saw /api, so its redirects dropped the prefix and became 308s to the
wrong path behind a TLS proxy. Remove the strip; forward /api/* unchanged.

Claude-Session: https://claude.ai/code/session_01STbkKsnAUZn5v9PiDRiSsY
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
agenta-documentation Ready Ready Preview, Comment Jul 1, 2026 6:24pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 17cff848-c508-474e-bca3-daea17867b09

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/self-host-traefik-api-double-prefix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


Agenta Team seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@junaway junaway merged commit d0a81f0 into big-agents Jul 3, 2026
4 of 5 checks passed
@junaway

junaway commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

This PR's fix (stop stripping `/api` at Traefik) was merged into `fix/broken-internal-urls` and shipped as part of #5059, now merged into `big-agents`. #5059 also adds `ApiPrefixStripMiddleware` at the API layer, so both prefix shapes (stripped or not) route correctly regardless of proxy topology, making this fix's Traefik-config change safe across dev, gh, and ALB deployments.

Closing as merged via #5059.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants