Allow serving app from non-root path in dev env

Usage:

$ EXTRA_SOURCES_ANSIBLE_OPTS='-e ingress_path=/awx' make docker-compose
$ curl http://localhost:8013/awx/api/v2/ping/

tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2

@@ -24,6 +24,7 @@ services:
       EXECUTION_NODE_COUNT: {{ execution_node_count|int }}
       AWX_LOGGING_MODE: stdout
       DJANGO_SUPERUSER_PASSWORD: {{ admin_password }}
+      UWSGI_MOUNT_PATH: {{ ingress_path }}
 {% if loop.index == 1 %}
       RUN_MIGRATIONS: 1
 {% endif %}
@@ -40,6 +41,8 @@ services:
       - "../../docker-compose/_sources/database.py:/etc/tower/conf.d/database.py"
       - "../../docker-compose/_sources/websocket_secret.py:/etc/tower/conf.d/websocket_secret.py"
       - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py"
+      - "../../docker-compose/_sources/nginx.conf:/etc/nginx/nginx.conf"
+      - "../../docker-compose/_sources/nginx.locations.conf:/etc/nginx/conf.d/nginx.locations.conf"
       - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
       - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
       - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf.lock:/etc/receptor/receptor.conf.lock"

tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2

@@ -0,0 +1,50 @@
+# Copyright (c) 2015 Ansible, Inc. (formerly AnsibleWorks, Inc.)
+# All Rights Reserved.
+
+# Local Django settings for AWX project.  Rename to "local_settings.py" and
+# edit as needed for your development environment.
+
+# All variables defined in awx/settings/development.py will already be loaded
+# into the global namespace before this file is loaded, to allow for reading
+# and updating the default settings as needed.
+
+###############################################################################
+# MISC PROJECT SETTINGS
+###############################################################################
+
+# Enable the following lines and install the browser extension to use Django debug toolbar
+# if your deployment method is not VMWare of Docker-for-Mac you may
+# need a different IP address from request.META['REMOTE_ADDR']
+# INTERNAL_IPS = ('172.19.0.1', '172.18.0.1', '192.168.100.1')
+# ALLOWED_HOSTS = ['*']
+
+# The UUID of the system, for HA.
+SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
+
+# If set, use -vvv for project updates instead of -v for more output.
+# PROJECT_UPDATE_VVV=True
+
+###############################################################################
+# LOGGING SETTINGS
+###############################################################################
+
+# Enable logging to syslog. Setting level to ERROR captures 500 errors,
+# WARNING also logs 4xx responses.
+
+# Enable the following lines to turn on lots of permissions-related logging.
+# LOGGING['loggers']['awx.main.access']['level'] = 'DEBUG'
+# LOGGING['loggers']['awx.main.signals']['level'] = 'DEBUG'
+# LOGGING['loggers']['awx.main.permissions']['level'] = 'DEBUG'
+
+# Enable the following line to turn on database settings logging.
+# LOGGING['loggers']['awx.conf']['level'] = 'DEBUG'
+
+# Enable the following lines to turn on LDAP auth logging.
+# LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
+# LOGGING['loggers']['django_auth_ldap']['level'] = 'DEBUG'
+
+BROADCAST_WEBSOCKET_PORT = 8013
+BROADCAST_WEBSOCKET_VERIFY_CERT = False
+BROADCAST_WEBSOCKET_PROTOCOL = 'http'
+
+STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'

tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2

@@ -1,8 +1,7 @@
-#user awx;
-
 worker_processes  1;
 
-pid        /tmp/nginx.pid;
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
 
 events {
     worker_connections  1024;
@@ -17,7 +16,7 @@ http {
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
-    access_log /dev/stdout main;
+    access_log  /var/log/nginx/access.log  main;
 
     map $http_upgrade $connection_upgrade {
         default upgrade;
@@ -25,41 +24,17 @@ http {
     }
 
     sendfile        on;
-    #tcp_nopush     on;
-    #gzip  on;
 
     upstream uwsgi {
-        server 127.0.0.1:8050;
-        }
+        server localhost:8050;
+    }
 
     upstream daphne {
-        server 127.0.0.1:8051;
+        server localhost:8051;
     }
 
-    {% if ssl_certificate is defined %}
     server {
-        listen 8052 default_server;
-        server_name _;
-
-        # Redirect all HTTP links to the matching HTTPS page
-        return 301 https://$host$request_uri;
-    }
-    {%endif %}
-
-    server {
-        {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %}
-        listen 8053 ssl;
-
-        ssl_certificate /etc/nginx/awxweb.pem;
-        ssl_certificate_key /etc/nginx/awxweb_key.pem;
-        {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %}
-        listen 8053 ssl;
-
-        ssl_certificate /etc/nginx/awxweb.pem;
-        ssl_certificate_key /etc/nginx/awxweb.pem;
-        {% else %}
-        listen 8052 default_server;
-        {% endif %}
+        listen 8013 default_server;
 
         # If you have a domain name, this is where to add it
         server_name _;
@@ -67,56 +42,35 @@ http {
 
         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
+        add_header X-Content-Type-Options nosniff;
 
-        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
-        add_header X-Frame-Options "DENY";
+        include /etc/nginx/conf.d/*.conf;
+    }
 
-        location /nginx_status {
-          stub_status on;
-          access_log off;
-          allow 127.0.0.1;
-          deny all;
-        }
+    server {
+        listen 8043 default_server ssl;
 
-        location /static/ {
-            alias /var/lib/awx/public/static/;
-        }
+        # If you have a domain name, this is where to add it
+        server_name _;
+        keepalive_timeout 65;
 
-        location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
+        ssl_certificate /etc/nginx/nginx.crt;
+        ssl_certificate_key /etc/nginx/nginx.key;
 
-        location /websocket {
-            # Pass request to the upstream alias
-            proxy_pass http://daphne;
-            # Require http version 1.1 to allow for upgrade requests
-            proxy_http_version 1.1;
-            # We want proxy_buffering off for proxying to websockets.
-            proxy_buffering off;
-            # http://en.wikipedia.org/wiki/X-Forwarded-For
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            # enable this if you use HTTPS:
-            proxy_set_header X-Forwarded-Proto https;
-            # pass the Host: header from the client for the sake of redirects
-            proxy_set_header Host $http_host;
-            # We've set the Host header, so we don't need Nginx to muddle
-            # about with redirects
-            proxy_redirect off;
-            # Depending on the request value, set the Upgrade and
-            # connection headers
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
-        }
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:SSL:50m;
+        ssl_session_tickets off;
 
-        location / {
-            # Add trailing / if missing
-            rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
-            uwsgi_read_timeout 120s;
-            uwsgi_pass uwsgi;
-            include /etc/nginx/uwsgi_params;
-            {%- if extra_nginx_include is defined %}
-            include {{ extra_nginx_include }};
-            {%- endif %}
-            proxy_set_header X-Forwarded-Port 443;
-            uwsgi_param HTTP_X_FORWARDED_PORT 443;
-        }
+        # intermediate configuration. tweak to your needs.
+        ssl_protocols TLSv1.2;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+        ssl_prefer_server_ciphers on;
+
+        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+        add_header Strict-Transport-Security max-age=15768000;
+        add_header X-Content-Type-Options nosniff;
+
+
+        include /etc/nginx/conf.d/*.conf;
     }
 }

tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2

@@ -0,0 +1,37 @@
+location {{ (ingress_path + '/static').replace('//', '/') }} {
+    alias /var/lib/awx/public/static/;
+}
+
+location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
+    alias /awx_devel/awx/public/static/favicon.ico;
+}
+
+location {{ (ingress_path + '/websocket').replace('//', '/') }} {
+    # Pass request to the upstream alias
+    proxy_pass http://daphne;
+    # Require http version 1.1 to allow for upgrade requests
+    proxy_http_version 1.1;
+    # We want proxy_buffering off for proxying to websockets.
+    proxy_buffering off;
+    # http://en.wikipedia.org/wiki/X-Forwarded-For
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    # enable this if you use HTTPS:
+    proxy_set_header X-Forwarded-Proto https;
+    # pass the Host: header from the client for the sake of redirects
+    proxy_set_header Host $http_host;
+    # We've set the Host header, so we don't need Nginx to muddle
+    # about with redirects
+    proxy_redirect off;
+    # Depending on the request value, set the Upgrade and
+    # connection headers
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+}
+
+location {{ ingress_path }} {
+    # Add trailing / if missing
+    rewrite ^(.*[^/])$ $1/ permanent;
+    uwsgi_read_timeout 120s;
+    uwsgi_pass uwsgi;
+    include /etc/nginx/uwsgi_params;
+}