Set up HTTPS w/ proper port & HTTP redirect

HTTPS is, by default, expected to be on port 443.

Also, with HSTS set, we need to be sure that users attempting to arrive
via HTTP are properly redirected to HTTPS.

This does so by:

* Setting up a 301 redirect for any URL to its HTTPS version
* Adjusting the internal port for HTTPS traffic to 8053
* Setting docker-compose to share port 443 → 8053
    - This is configurable via an inventory variable

installer/inventory

@@ -53,6 +53,7 @@ awx_task_hostname=awx
 awx_web_hostname=awxweb
 postgres_data_dir=/tmp/pgdocker
 host_port=80
+host_port_ssl=443
 #ssl_certificate=
 docker_compose_dir=/tmp/awxcompose
 

installer/roles/image_build/templates/nginx.conf.j2

@@ -35,9 +35,19 @@ http {
         server 127.0.0.1:8051;
     }
 
+    {% if ssl_certificate is defined %}
+    server {
+        listen 8052 default_server;
+        server_name _;
+
+        # Redirect all HTTP links to the matching HTTPS page
+        return 301 https://$host$request_uri;
+    }
+    {%endif %}
+
     server {
         {% if ssl_certificate is defined %}
-        listen 8052 ssl default_server;
+        listen 8053 ssl;
 
         ssl_certificate /etc/nginx/awxweb.pem;
         ssl_certificate_key /etc/nginx/awxweb.pem;
@@ -54,14 +64,14 @@ http {
 
         # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
         add_header X-Frame-Options "DENY";
-        
+
         location /nginx_status {
           stub_status on;
           access_log off;
           allow 127.0.0.1;
           deny all;
         }
-        
+
         location /static/ {
             alias /var/lib/awx/public/static/;
         }

installer/roles/local_docker/templates/docker-compose.yml.j2

@@ -12,6 +12,9 @@ services:
       - postgres
       {% endif %}
     ports:
+      {% if ssl_certificate is defined %}
+      - "{{ host_port_ssl }}:8053"
+      {% endif %}
       - "{{ host_port }}:8052"
     hostname: {{ awx_web_hostname }}
     user: root