Webswing fails to serve ZAP GUI behind nginx reverse proxy with auth

[Nicholas Coleman]

Hi all,

I'm running the stable Docker image with zap-webswing.sh, fronted by nginx which handles basic auth. 

The nginx layer works correctly (confirmed via curl returning 200), but once authenticated users reach the Webswing UI, they are presented with Webswing's own login screen. Passing ?anonym=true&app=ZAP in the URL does not bypass it.

I initially tried to use Webswing's own authentication by mounting a custom webswing.config with "module": "EMBEDED" and a user defined in authorizationConfig. However, regardless of what I put in the mounted config, the running container always showed "module": "NONE" with empty users. So Webswing's login screen appeared but rejected every credential. I could not determine why the config changes weren't being picked up. nginx became the auth layer as a workaround.

All I need is for users already authenticated by nginx to land directly in the ZAP GUI. I'm open to any approach... Custom entrypoint, custom image, modified startup script, or anything else. I'm fairly new to ZAP, and honestly this one part is just driving me insane. 

Setup:

• ghcr.io/zaproxy/zaproxy:stable
• zap-webswing.sh
• nginx basic auth
• Ubuntu Server VM

Thanks, 

Nick

[Nicholas Coleman]

Quick update on this.

Some context on why I was trying to put auth in front of Webswing. I was tasked with setting up ZAP as a shared scanning tool for a small team on an internal network. Some of the users aren't technical, so the full Webswing GUI is ideal for our team. The VM is accessible to others on the network, so I wanted an auth layer to prevent unauthorised access: particularly to the API, since an accidental or unauthorized active scan against a production app would be a problem.

But I've thought more about it and rather than fighting Webswing's auth, I'm going to restrict access at the network level with firewall rules limiting which subnets can reach the VM, and keep a strong API key set. This seems more in line with how ZAP's Docker setup is designed. More ephemeral than persistent service.

That said, I'm still curious whether anyone has successfully run Webswing behind a reverse proxy with auth, or whether the general view is that this isn't a supported use case. Any thoughts welcome.