Gitlab KAS behind Apache reverse proxy not able to use exec

I’m having trouble with getting the k8s-proxy working behind a (apache) reverse proxy. We’re running a self-hosted Omnibus installation.

I’ve managed to succesfully install the agent and simple kubectl commands like listing or creating namespaces all work correct. What isn’t working, are kubectl exec command, where it gives an error on not being able to upgrade the request.

Depending on the config, this might result in a 400 “Error from server (BadRequest): Upgrade request required”, or in a “426 Upgrade required”.

We’re using Apache as a reverse proxy in front of our Gitlab. I’ve tried including several “workarounds” commonly found on the internet, going from using mod_rewrite to detect the upgrade headers, mod_proxy proxying to https or wss based on the request, and using the more recent websocket support of mod_proxy. I’ve also tried configuring kas to use domain sockets instead of tcp as stated in the docs. But all to no avail.

Does anyone happen to have a working config running behind an apache reverse proxy? Alternatively I’m could try and add an additional IP and run a different reverse proxy (nginx, haproxy?) specifically for KAS (and give it a name like kas.gitlab.ourdomain.tld), but I also can’t find any clear info on what parameters to set to what value, or what paths need to be proxied to what ports/paths.

So that past week I’ve basically been running in circles trying to figure out the magic combination of parameters, but I’ve reached the point that I can’t really think of anything more to try without ending up on all the pages that’s I’ve been through like 100 times already.