From 44fa30f91b5c39380fb108ecf951911c797cc55e Mon Sep 17 00:00:00 2001 From: Sarah Akus Date: Mon, 27 Feb 2023 10:16:28 -0500 Subject: [PATCH] Revert "Allow serving app from non-root path in dev env" --- Makefile | 14 +- .../roles/dockerfile/templates/Dockerfile.j2 | 5 +- .../dockerfile/templates/supervisor.conf.j2 | 2 +- .../ansible/roles/sources/defaults/main.yml | 1 - .../local_settings.py} | 2 - .../ansible/roles/sources/tasks/main.yml | 13 +- .../sources/templates/docker-compose.yml.j2 | 3 - .../roles/sources/templates/nginx.conf.j2 | 108 ++++++++++----- .../sources/templates/nginx.locations.conf.j2 | 37 ------ tools/docker-compose/nginx.conf | 31 +++++ tools/docker-compose/nginx.vh.default.conf | 124 ++++++++++++++++++ 11 files changed, 259 insertions(+), 81 deletions(-) rename tools/docker-compose/ansible/roles/sources/{templates/local_settings.py.j2 => files/local_settings.py} (96%) delete mode 100644 tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 create mode 100644 tools/docker-compose/nginx.conf create mode 100644 tools/docker-compose/nginx.vh.default.conf diff --git a/Makefile b/Makefile index 4e402125b2..896dcf2c6c 100644 --- a/Makefile +++ b/Makefile @@ -203,7 +203,19 @@ uwsgi: collectstatic @if [ "$(VENV_BASE)" ]; then \ . $(VENV_BASE)/awx/bin/activate; \ fi; \ - uwsgi /etc/tower/uwsgi.ini + uwsgi -b 32768 \ + --socket 127.0.0.1:8050 \ + --module=awx.wsgi:application \ + --home=/var/lib/awx/venv/awx \ + --chdir=/awx_devel/ \ + --vacuum \ + --processes=5 \ + --harakiri=120 --master \ + --no-orphans \ + --max-requests=1000 \ + --stats /tmp/stats.socket \ + --lazy-apps \ + --logformat "%(addr) %(method) %(uri) - %(proto) %(status)" awx-autoreload: @/awx_devel/tools/docker-compose/awx-autoreload /awx_devel/awx "$(DEV_RELOAD_COMMAND)" diff --git a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 index e35234f622..166f24b79f 100644 --- a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 +++ b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2 @@ -199,11 +199,11 @@ ADD tools/ansible/roles/dockerfile/files/rsyslog.conf /var/lib/awx/rsyslog/rsysl ADD tools/ansible/roles/dockerfile/files/wait-for-migrations /usr/local/bin/wait-for-migrations ADD tools/ansible/roles/dockerfile/files/stop-supervisor /usr/local/bin/stop-supervisor -ADD tools/ansible/roles/dockerfile/files/uwsgi.ini /etc/tower/uwsgi.ini - ## File mappings {% if build_dev|bool %} ADD tools/docker-compose/launch_awx.sh /usr/bin/launch_awx.sh +ADD tools/docker-compose/nginx.conf /etc/nginx/nginx.conf +ADD tools/docker-compose/nginx.vh.default.conf /etc/nginx/conf.d/nginx.vh.default.conf ADD tools/docker-compose/start_tests.sh /start_tests.sh ADD tools/docker-compose/bootstrap_development.sh /usr/bin/bootstrap_development.sh ADD tools/docker-compose/entrypoint.sh /entrypoint.sh @@ -213,6 +213,7 @@ ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanima {% else %} ADD tools/ansible/roles/dockerfile/files/launch_awx.sh /usr/bin/launch_awx.sh ADD tools/ansible/roles/dockerfile/files/launch_awx_task.sh /usr/bin/launch_awx_task.sh +ADD tools/ansible/roles/dockerfile/files/uwsgi.ini /etc/tower/uwsgi.ini ADD {{ template_dest }}/supervisor.conf /etc/supervisord.conf ADD {{ template_dest }}/supervisor_task.conf /etc/supervisord_task.conf {% endif %} diff --git a/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 b/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 index 6cd821b9d0..e67b79fbe9 100644 --- a/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 +++ b/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2 @@ -30,8 +30,8 @@ environment = DEV_RELOAD_COMMAND='supervisorctl -c /etc/supervisord_task.conf restart all; supervisorctl restart tower-processes:daphne tower-processes:wsbroadcast' {% else %} command = /var/lib/awx/venv/awx/bin/uwsgi /etc/tower/uwsgi.ini -{% endif %} directory = /var/lib/awx +{% endif %} autorestart = true startsecs = 30 stopasgroup=true diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml index cf5a65e0b6..9155cacfa9 100644 --- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml @@ -9,7 +9,6 @@ control_plane_node_count: 1 minikube_container_group: false receptor_socket_file: /var/run/awx-receptor/receptor.sock receptor_image: quay.io/ansible/receptor:devel -ingress_path: / # Keys for signing work receptor_rsa_bits: 4096 diff --git a/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 b/tools/docker-compose/ansible/roles/sources/files/local_settings.py similarity index 96% rename from tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 rename to tools/docker-compose/ansible/roles/sources/files/local_settings.py index 0b4ffd0160..552850e81c 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2 +++ b/tools/docker-compose/ansible/roles/sources/files/local_settings.py @@ -46,5 +46,3 @@ SYSTEM_UUID = '00000000-0000-0000-0000-000000000000' BROADCAST_WEBSOCKET_PORT = 8013 BROADCAST_WEBSOCKET_VERIFY_CERT = False BROADCAST_WEBSOCKET_PROTOCOL = 'http' - -STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}' diff --git a/tools/docker-compose/ansible/roles/sources/tasks/main.yml b/tools/docker-compose/ansible/roles/sources/tasks/main.yml index 17ab4dc0c9..5149364dd7 100644 --- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml +++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml @@ -49,11 +49,18 @@ mode: '0600' with_items: - "database.py" - - "local_settings.py" - "websocket_secret.py" - "haproxy.cfg" - - "nginx.conf" - - "nginx.locations.conf" + +- name: Delete old local_settings.py + file: + path: "{{ playbook_dir }}/../../../awx/settings/local_settings.py" + state: absent + +- name: Copy local_settings.py + copy: + src: "local_settings.py" + dest: "{{ sources_dest }}/local_settings.py" - name: Get OS info for sdb shell: | diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index 7badd37181..60d5d44fb8 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -24,7 +24,6 @@ services: EXECUTION_NODE_COUNT: {{ execution_node_count|int }} AWX_LOGGING_MODE: stdout DJANGO_SUPERUSER_PASSWORD: {{ admin_password }} - UWSGI_MOUNT_PATH: {{ ingress_path }} {% if loop.index == 1 %} RUN_MIGRATIONS: 1 {% endif %} @@ -41,8 +40,6 @@ services: - "../../docker-compose/_sources/database.py:/etc/tower/conf.d/database.py" - "../../docker-compose/_sources/websocket_secret.py:/etc/tower/conf.d/websocket_secret.py" - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py" - - "../../docker-compose/_sources/nginx.conf:/etc/nginx/nginx.conf" - - "../../docker-compose/_sources/nginx.locations.conf:/etc/nginx/conf.d/nginx.locations.conf" - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY" - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf" - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf.lock:/etc/receptor/receptor.conf.lock" diff --git a/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 b/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 index ff7e2ab386..327b59a2fe 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2 @@ -1,7 +1,8 @@ +#user awx; + worker_processes 1; -error_log /var/log/nginx/error.log warn; -pid /var/run/nginx.pid; +pid /tmp/nginx.pid; events { worker_connections 1024; @@ -16,7 +17,7 @@ http { '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/nginx/access.log main; + access_log /dev/stdout main; map $http_upgrade $connection_upgrade { default upgrade; @@ -24,17 +25,41 @@ http { } sendfile on; + #tcp_nopush on; + #gzip on; upstream uwsgi { - server localhost:8050; - } + server 127.0.0.1:8050; + } upstream daphne { - server localhost:8051; + server 127.0.0.1:8051; } + {% if ssl_certificate is defined %} server { - listen 8013 default_server; + listen 8052 default_server; + server_name _; + + # Redirect all HTTP links to the matching HTTPS page + return 301 https://$host$request_uri; + } + {%endif %} + + server { + {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %} + listen 8053 ssl; + + ssl_certificate /etc/nginx/awxweb.pem; + ssl_certificate_key /etc/nginx/awxweb_key.pem; + {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %} + listen 8053 ssl; + + ssl_certificate /etc/nginx/awxweb.pem; + ssl_certificate_key /etc/nginx/awxweb.pem; + {% else %} + listen 8052 default_server; + {% endif %} # If you have a domain name, this is where to add it server_name _; @@ -42,35 +67,56 @@ http { # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; - add_header X-Content-Type-Options nosniff; - include /etc/nginx/conf.d/*.conf; - } + # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009) + add_header X-Frame-Options "DENY"; - server { - listen 8043 default_server ssl; + location /nginx_status { + stub_status on; + access_log off; + allow 127.0.0.1; + deny all; + } - # If you have a domain name, this is where to add it - server_name _; - keepalive_timeout 65; + location /static/ { + alias /var/lib/awx/public/static/; + } - ssl_certificate /etc/nginx/nginx.crt; - ssl_certificate_key /etc/nginx/nginx.key; + location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets off; + location /websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } - # intermediate configuration. tweak to your needs. - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ssl_prefer_server_ciphers on; - - # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) - add_header Strict-Transport-Security max-age=15768000; - add_header X-Content-Type-Options nosniff; - - - include /etc/nginx/conf.d/*.conf; + location / { + # Add trailing / if missing + rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; + {%- if extra_nginx_include is defined %} + include {{ extra_nginx_include }}; + {%- endif %} + proxy_set_header X-Forwarded-Port 443; + uwsgi_param HTTP_X_FORWARDED_PORT 443; + } } } diff --git a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 deleted file mode 100644 index 5d1d24b2b1..0000000000 --- a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2 +++ /dev/null @@ -1,37 +0,0 @@ -location {{ (ingress_path + '/static').replace('//', '/') }} { - alias /var/lib/awx/public/static/; -} - -location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} { - alias /awx_devel/awx/public/static/favicon.ico; -} - -location {{ (ingress_path + '/websocket').replace('//', '/') }} { - # Pass request to the upstream alias - proxy_pass http://daphne; - # Require http version 1.1 to allow for upgrade requests - proxy_http_version 1.1; - # We want proxy_buffering off for proxying to websockets. - proxy_buffering off; - # http://en.wikipedia.org/wiki/X-Forwarded-For - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # enable this if you use HTTPS: - proxy_set_header X-Forwarded-Proto https; - # pass the Host: header from the client for the sake of redirects - proxy_set_header Host $http_host; - # We've set the Host header, so we don't need Nginx to muddle - # about with redirects - proxy_redirect off; - # Depending on the request value, set the Upgrade and - # connection headers - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; -} - -location {{ ingress_path }} { - # Add trailing / if missing - rewrite ^(.*[^/])$ $1/ permanent; - uwsgi_read_timeout 120s; - uwsgi_pass uwsgi; - include /etc/nginx/uwsgi_params; -} diff --git a/tools/docker-compose/nginx.conf b/tools/docker-compose/nginx.conf new file mode 100644 index 0000000000..348f93b727 --- /dev/null +++ b/tools/docker-compose/nginx.conf @@ -0,0 +1,31 @@ +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + server_tokens off; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + sendfile on; + #tcp_nopush on; + #gzip on; + + include /etc/nginx/conf.d/*.conf; +} diff --git a/tools/docker-compose/nginx.vh.default.conf b/tools/docker-compose/nginx.vh.default.conf new file mode 100644 index 0000000000..649575af34 --- /dev/null +++ b/tools/docker-compose/nginx.vh.default.conf @@ -0,0 +1,124 @@ +upstream uwsgi { + server localhost:8050; +} + +upstream daphne { + server localhost:8051; +} + +# server { +# listen 8013 default_server; +# listen [::]:8013 default_server; +# server_name _; +# return 301 https://$host:8043$request_uri; +# } + +server { + listen 8013 default_server; + + # If you have a domain name, this is where to add it + server_name _; + keepalive_timeout 65; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + add_header X-Content-Type-Options nosniff; + + location /static/ { + alias /var/lib/awx/public/static/; + } + + location /favicon.ico { alias /awx_devel/awx/public/static/favicon.ico; } + + location ~ ^/websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + location / { + # Add trailing / if missing + rewrite ^(.*[^/])$ $1/ permanent; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; + } +} + +server { + listen 8043 default_server ssl; + + # If you have a domain name, this is where to add it + server_name _; + keepalive_timeout 65; + + ssl_certificate /etc/nginx/nginx.crt; + ssl_certificate_key /etc/nginx/nginx.key; + + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets off; + + # intermediate configuration. tweak to your needs. + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_prefer_server_ciphers on; + + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + add_header X-Content-Type-Options nosniff; + + location /static/ { + alias /var/lib/awx/public/static/; + access_log off; + sendfile off; + } + + location /favicon.ico { alias /awx_devel/awx/public/static/favicon.ico; } + + location ~ ^/websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + location / { + # Add trailing / if missing + rewrite ^(.*[^/])$ $1/ permanent; + uwsgi_read_timeout 120s; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; + } +}