diff --git a/Makefile b/Makefile index 896dcf2c6c..4e402125b2 100644 --- a/Makefile +++ b/Makefile @@ -203,19 +203,7 @@ uwsgi: collectstatic @if [ "$(VENV_BASE)" ]; then \ . $(VENV_BASE)/awx/bin/activate; \ fi; \ - uwsgi -b 32768 \ - --socket 127.0.0.1:8050 \ - --module=awx.wsgi:application \ - --home=/var/lib/awx/venv/awx \ - --chdir=/awx_devel/ \ - --vacuum \ - --processes=5 \ - --harakiri=120 --master \ - --no-orphans \ - --max-requests=1000 \ - --stats /tmp/stats.socket \ - --lazy-apps \ - --logformat "%(addr) %(method) %(uri) - %(proto) %(status)" + uwsgi /etc/tower/uwsgi.ini awx-autoreload: @/awx_devel/tools/docker-compose/awx-autoreload /awx_devel/awx "$(DEV_RELOAD_COMMAND)" diff --git a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 index 166f24b79f..e35234f622 100644 --- a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 +++ b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 @@ -199,11 +199,11 @@ ADD tools/ansible/roles/dockerfile/files/rsyslog.conf /var/lib/awx/rsyslog/rsysl ADD tools/ansible/roles/dockerfile/files/wait-for-migrations /usr/local/bin/wait-for-migrations ADD tools/ansible/roles/dockerfile/files/stop-supervisor /usr/local/bin/stop-supervisor +ADD tools/ansible/roles/dockerfile/files/uwsgi.ini /etc/tower/uwsgi.ini + ## File mappings {% if build_dev|bool %} ADD tools/docker-compose/launch_awx.sh /usr/bin/launch_awx.sh -ADD tools/docker-compose/nginx.conf /etc/nginx/nginx.conf -ADD tools/docker-compose/nginx.vh.default.conf /etc/nginx/conf.d/nginx.vh.default.conf ADD tools/docker-compose/start_tests.sh /start_tests.sh ADD tools/docker-compose/bootstrap_development.sh /usr/bin/bootstrap_development.sh ADD tools/docker-compose/entrypoint.sh /entrypoint.sh @@ -213,7 +213,6 @@ ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanima {% else %} ADD tools/ansible/roles/dockerfile/files/launch_awx.sh /usr/bin/launch_awx.sh ADD tools/ansible/roles/dockerfile/files/launch_awx_task.sh /usr/bin/launch_awx_task.sh -ADD tools/ansible/roles/dockerfile/files/uwsgi.ini /etc/tower/uwsgi.ini ADD {{ template_dest }}/supervisor.conf /etc/supervisord.conf ADD {{ template_dest }}/supervisor_task.conf /etc/supervisord_task.conf {% endif %} diff --git a/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 b/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 index e67b79fbe9..6cd821b9d0 100644 --- a/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 +++ b/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 @@ -30,8 +30,8 @@ environment = DEV_RELOAD_COMMAND='supervisorctl -c /etc/supervisord_task.conf restart all; supervisorctl restart tower-processes:daphne tower-processes:wsbroadcast' {% else %} command = /var/lib/awx/venv/awx/bin/uwsgi /etc/tower/uwsgi.ini -directory = /var/lib/awx {% endif %} +directory = /var/lib/awx autorestart = true startsecs = 30 stopasgroup=true diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml index 9155cacfa9..cf5a65e0b6 100644 --- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml @@ -9,6 +9,7 @@ control_plane_node_count: 1 minikube_container_group: false receptor_socket_file: /var/run/awx-receptor/receptor.sock receptor_image: quay.io/ansible/receptor:devel +ingress_path: / # Keys for signing work receptor_rsa_bits: 4096 diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml index 5149364dd7..17ab4dc0c9 100644 --- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml +++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml @@ -49,18 +49,11 @@ mode: '0600' with_items: - "database.py" + - "local_settings.py" - "websocket_secret.py" - "haproxy.cfg" - -- name: Delete old local_settings.py - file: - path: "{{ playbook_dir }}/../../../awx/settings/local_settings.py" - state: absent - -- name: Copy local_settings.py - copy: - src: "local_settings.py" - dest: "{{ sources_dest }}/local_settings.py" + - "nginx.conf" + - "nginx.locations.conf" - name: Get OS info for sdb shell: | diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index 60d5d44fb8..7badd37181 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -24,6 +24,7 @@ services: EXECUTION_NODE_COUNT: {{ execution_node_count|int }} AWX_LOGGING_MODE: stdout DJANGO_SUPERUSER_PASSWORD: {{ admin_password }} + UWSGI_MOUNT_PATH: {{ ingress_path }} {% if loop.index == 1 %} RUN_MIGRATIONS: 1 {% endif %} @@ -40,6 +41,8 @@ services: - "../../docker-compose/_sources/database.py:/etc/tower/conf.d/database.py" - "../../docker-compose/_sources/websocket_secret.py:/etc/tower/conf.d/websocket_secret.py" - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py" + - "../../docker-compose/_sources/nginx.conf:/etc/nginx/nginx.conf" + - "../../docker-compose/_sources/nginx.locations.conf:/etc/nginx/conf.d/nginx.locations.conf" - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY" - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf" - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf.lock:/etc/receptor/receptor.conf.lock" diff --git a/tools/docker-compose/ansible/roles/sources/files/local_settings.py b/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 similarity index 96% rename from tools/docker-compose/ansible/roles/sources/files/local_settings.py rename to tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 index 552850e81c..0b4ffd0160 100644 --- a/tools/docker-compose/ansible/roles/sources/files/local_settings.py +++ b/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 @@ -46,3 +46,5 @@ SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' BROADCAST_WEBSOCKET_PORT = 8013 BROADCAST_WEBSOCKET_VERIFY_CERT = False BROADCAST_WEBSOCKET_PROTOCOL = 'http' + +STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}' diff --git a/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 b/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 index 327b59a2fe..ff7e2ab386 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 @@ -1,8 +1,7 @@ -#user awx; - worker_processes 1; -pid /tmp/nginx.pid; +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; events { worker_connections 1024; @@ -17,7 +16,7 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /dev/stdout main; + access_log /var/log/nginx/access.log main; map $http_upgrade $connection_upgrade { default upgrade; @@ -25,41 +24,17 @@ http { } sendfile on; - #tcp_nopush on; - #gzip on; upstream uwsgi { - server 127.0.0.1:8050; - } + server localhost:8050; + } upstream daphne { - server 127.0.0.1:8051; + server localhost:8051; } - {% if ssl_certificate is defined %} server { - listen 8052 default_server; - server_name _; - - # Redirect all HTTP links to the matching HTTPS page - return 301 https://$host$request_uri; - } - {%endif %} - - server { - {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %} - listen 8053 ssl; - - ssl_certificate /etc/nginx/awxweb.pem; - ssl_certificate_key /etc/nginx/awxweb_key.pem; - {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %} - listen 8053 ssl; - - ssl_certificate /etc/nginx/awxweb.pem; - ssl_certificate_key /etc/nginx/awxweb.pem; - {% else %} - listen 8052 default_server; - {% endif %} + listen 8013 default_server; # If you have a domain name, this is where to add it server_name _; @@ -67,56 +42,35 @@ http { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; + add_header X-Content-Type-Options nosniff; - # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) - add_header X-Frame-Options "DENY"; + include /etc/nginx/conf.d/*.conf; + } - location /nginx_status { - stub_status on; - access_log off; - allow 127.0.0.1; - deny all; - } + server { + listen 8043 default_server ssl; - location /static/ { - alias /var/lib/awx/public/static/; - } + # If you have a domain name, this is where to add it + server_name _; + keepalive_timeout 65; - location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } + ssl_certificate /etc/nginx/nginx.crt; + ssl_certificate_key /etc/nginx/nginx.key; - location /websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; - location / { - # Add trailing / if missing - rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - {%- if extra_nginx_include is defined %} - include {{ extra_nginx_include }}; - {%- endif %} - proxy_set_header X-Forwarded-Port 443; - uwsgi_param HTTP_X_FORWARDED_PORT 443; - } + # intermediate configuration. tweak to your needs. + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + add_header X-Content-Type-Options nosniff; + + + include /etc/nginx/conf.d/*.conf; } } diff --git a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 new file mode 100644 index 0000000000..5d1d24b2b1 --- /dev/null +++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 @@ -0,0 +1,37 @@ +location {{ (ingress_path + '/static').replace('//', '/') }} { + alias /var/lib/awx/public/static/; +} + +location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} { + alias /awx_devel/awx/public/static/favicon.ico; +} + +location {{ (ingress_path + '/websocket').replace('//', '/') }} { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; +} + +location {{ ingress_path }} { + # Add trailing / if missing + rewrite ^(.*[^/])$ $1/ permanent; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; +} diff --git a/tools/docker-compose/nginx.conf b/tools/docker-compose/nginx.conf deleted file mode 100644 index 348f93b727..0000000000 --- a/tools/docker-compose/nginx.conf +++ /dev/null @@ -1,31 +0,0 @@ -worker_processes 1; - -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - server_tokens off; - - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - sendfile on; - #tcp_nopush on; - #gzip on; - - include /etc/nginx/conf.d/*.conf; -} diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf deleted file mode 100644 index 649575af34..0000000000 --- a/tools/docker-compose/nginx.vh.default.conf +++ /dev/null @@ -1,124 +0,0 @@ -upstream uwsgi { - server localhost:8050; -} - -upstream daphne { - server localhost:8051; -} - -# server { -# listen 8013 default_server; -# listen [::]:8013 default_server; -# server_name _; -# return 301 https://$host:8043$request_uri; -# } - -server { - listen 8013 default_server; - - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - add_header X-Content-Type-Options nosniff; - - location /static/ { - alias /var/lib/awx/public/static/; - } - - location /favicon.ico { alias /awx_devel/awx/public/static/favicon.ico; } - - location ~ ^/websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } - - location / { - # Add trailing / if missing - rewrite ^(.*[^/])$ $1/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - } -} - -server { - listen 8043 default_server ssl; - - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; - - ssl_certificate /etc/nginx/nginx.crt; - ssl_certificate_key /etc/nginx/nginx.key; - - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; - - # intermediate configuration. tweak to your needs. - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - add_header X-Content-Type-Options nosniff; - - location /static/ { - alias /var/lib/awx/public/static/; - access_log off; - sendfile off; - } - - location /favicon.ico { alias /awx_devel/awx/public/static/favicon.ico; } - - location ~ ^/websocket { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - } - - location / { - # Add trailing / if missing - rewrite ^(.*[^/])$ $1/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; - } -}