From 28e3c635622f8f0b2838277c2770143a5c49c511 Mon Sep 17 00:00:00 2001
From: Jeff Byrnes <rbyrnes@athenahealth.com>
Date: Wed, 3 Apr 2019 11:11:33 -0400
Subject: [PATCH 1/2] Add optional SSL cert to docker-compose install

In #3322, this mount was added, but only to the standalone
Docker install setup:

github.com/ansible/awx/pull/3322/files#diff-596e32ab54a52bfed763f8a639499fe0

This ensures that the SSL cert is loaded when using docker-compose,
which is the only Docker-based method available as of v4.0.0
---
 .../roles/local_docker/templates/docker-compose.yml.j2      | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/installer/roles/local_docker/templates/docker-compose.yml.j2 b/installer/roles/local_docker/templates/docker-compose.yml.j2
index 138d0e9871..3fba670f15 100644
--- a/installer/roles/local_docker/templates/docker-compose.yml.j2
+++ b/installer/roles/local_docker/templates/docker-compose.yml.j2
@@ -26,6 +26,9 @@ services:
     {% if ca_trust_dir is defined %}
       - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}"
     {% endif %}
+    {% if ssl_certificate is defined %}
+      - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}"
+    {% endif %}
     {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %}
     {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %}
     dns_search:
@@ -72,6 +75,9 @@ services:
     {% if ca_trust_dir is defined %}
       - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}"
     {% endif %}
+    {% if ssl_certificate is defined %}
+      - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}"
+    {% endif %}
     {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %}
     {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %}
     dns_search:

From 7b636a75668fd43b03a966fdc3b66960918a62f4 Mon Sep 17 00:00:00 2001
From: Jeff Byrnes <rbyrnes@athenahealth.com>
Date: Wed, 3 Apr 2019 11:50:10 -0400
Subject: [PATCH 2/2] Set up HTTPS w/ proper port & HTTP redirect
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

HTTPS is, by default, expected to be on port 443.

Also, with HSTS set, we need to be sure that users attempting to arrive
via HTTP are properly redirected to HTTPS.

This does so by:

* Setting up a 301 redirect for any URL to its HTTPS version
* Adjusting the internal port for HTTPS traffic to 8053
* Setting docker-compose to share port 443 → 8053
    - This is configurable via an inventory variable
---
 INSTALL.md                                       |  4 ++++
 installer/inventory                              |  1 +
 .../roles/image_build/templates/nginx.conf.j2    | 16 +++++++++++++---
 .../local_docker/templates/docker-compose.yml.j2 |  3 +++
 4 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/INSTALL.md b/INSTALL.md
index 65cda0954e..64488550dc 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -443,6 +443,10 @@ Before starting the build process, review the [inventory](./installer/inventory)
 
 > Provide a port number that can be mapped from the Docker daemon host to the web server running inside the AWX container. Defaults to *80*.
 
+*host_port_ssl*
+
+> Provide a port number that can be mapped from the Docker daemon host to the web server running inside the AWX container for SSL support. Defaults to *443*, only works if you also set `ssl_certificate` (see below).
+
 *ssl_certificate*
 
 > Optionally, provide the path to a file that contains a certificate and its private key.
diff --git a/installer/inventory b/installer/inventory
index e470012cf6..0341a6a8dc 100644
--- a/installer/inventory
+++ b/installer/inventory
@@ -53,6 +53,7 @@ awx_task_hostname=awx
 awx_web_hostname=awxweb
 postgres_data_dir=/tmp/pgdocker
 host_port=80
+host_port_ssl=443
 #ssl_certificate=
 docker_compose_dir=/tmp/awxcompose
 
diff --git a/installer/roles/image_build/templates/nginx.conf.j2 b/installer/roles/image_build/templates/nginx.conf.j2
index b40d3b3f22..a0f23698cb 100644
--- a/installer/roles/image_build/templates/nginx.conf.j2
+++ b/installer/roles/image_build/templates/nginx.conf.j2
@@ -35,9 +35,19 @@ http {
         server 127.0.0.1:8051;
     }
 
+    {% if ssl_certificate is defined %}
+    server {
+        listen 8052 default_server;
+        server_name _;
+
+        # Redirect all HTTP links to the matching HTTPS page
+        return 301 https://$host$request_uri;
+    }
+    {%endif %}
+
     server {
         {% if ssl_certificate is defined %}
-        listen 8052 ssl default_server;
+        listen 8053 ssl;
 
         ssl_certificate /etc/nginx/awxweb.pem;
         ssl_certificate_key /etc/nginx/awxweb.pem;
@@ -54,14 +64,14 @@ http {
 
         # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
         add_header X-Frame-Options "DENY";
-        
+
         location /nginx_status {
           stub_status on;
           access_log off;
           allow 127.0.0.1;
           deny all;
         }
-        
+
         location /static/ {
             alias /var/lib/awx/public/static/;
         }
diff --git a/installer/roles/local_docker/templates/docker-compose.yml.j2 b/installer/roles/local_docker/templates/docker-compose.yml.j2
index 3fba670f15..a4a3a7e3a5 100644
--- a/installer/roles/local_docker/templates/docker-compose.yml.j2
+++ b/installer/roles/local_docker/templates/docker-compose.yml.j2
@@ -12,6 +12,9 @@ services:
       - postgres
       {% endif %}
     ports:
+      {% if ssl_certificate is defined %}
+      - "{{ host_port_ssl }}:8053"
+      {% endif %}
       - "{{ host_port }}:8052"
     hostname: {{ awx_web_hostname }}
     user: root