Merge pull request #3604 from athenahealth/complete-ssl-support

Update SSL support for docker-compose install Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]
2026-01-10 15:32:07 -03:30 · 2019-05-28 13:51:43 +00:00 · 2019-05-28 13:51:43 +00:00 · 9c90694f12
commit 9c90694f12
parent ca3735ee73 7b636a7566
4 changed files with 27 additions and 3 deletions
--- a/INSTALL.md
+++ b/INSTALL.md
@ -443,6 +443,10 @@ Before starting the build process, review the [inventory](./installer/inventory)

 > Provide a port number that can be mapped from the Docker daemon host to the web server running inside the AWX container. Defaults to *80*.

+*host_port_ssl*
+
+> Provide a port number that can be mapped from the Docker daemon host to the web server running inside the AWX container for SSL support. Defaults to *443*, only works if you also set `ssl_certificate` (see below).
+
 *ssl_certificate*

 > Optionally, provide the path to a file that contains a certificate and its private key.
--- a/installer/inventory
+++ b/installer/inventory
@ -53,6 +53,7 @@ awx_task_hostname=awx
 awx_web_hostname=awxweb
 postgres_data_dir=/tmp/pgdocker
 host_port=80
+host_port_ssl=443
 #ssl_certificate=
 docker_compose_dir=/tmp/awxcompose

--- a/installer/roles/image_build/templates/nginx.conf.j2
+++ b/installer/roles/image_build/templates/nginx.conf.j2
@ -35,9 +35,19 @@ http {
        server 127.0.0.1:8051;
    }

+    {% if ssl_certificate is defined %}
+    server {
+        listen 8052 default_server;
+        server_name _;
+
+        # Redirect all HTTP links to the matching HTTPS page
+        return 301 https://$host$request_uri;
+    }
+    {%endif %}
+
    server {
        {% if ssl_certificate is defined %}
-        listen 8052 ssl default_server;
+        listen 8053 ssl;

        ssl_certificate /etc/nginx/awxweb.pem;
        ssl_certificate_key /etc/nginx/awxweb.pem;
@ -54,14 +64,14 @@ http {

        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
        add_header X-Frame-Options "DENY";
-        
+
        location /nginx_status {
          stub_status on;
          access_log off;
          allow 127.0.0.1;
          deny all;
        }
-        
+
        location /static/ {
            alias /var/lib/awx/public/static/;
        }
--- a/installer/roles/local_docker/templates/docker-compose.yml.j2
+++ b/installer/roles/local_docker/templates/docker-compose.yml.j2
@ -12,6 +12,9 @@ services:
      - postgres
      {% endif %}
    ports:
+      {% if ssl_certificate is defined %}
+      - "{{ host_port_ssl }}:8053"
+      {% endif %}
      - "{{ host_port }}:8052"
    hostname: {{ awx_web_hostname }}
    user: root
@ -26,6 +29,9 @@ services:
    {% if ca_trust_dir is defined %}
      - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}"
    {% endif %}
+    {% if ssl_certificate is defined %}
+      - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}"
+    {% endif %}
    {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %}
    {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %}
    dns_search:
@ -72,6 +78,9 @@ services:
    {% if ca_trust_dir is defined %}
      - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}"
    {% endif %}
+    {% if ssl_certificate is defined %}
+      - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}"
+    {% endif %}
    {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %}
    {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %}
    dns_search: