Merge branch 'devel' into feature_web-task-split

2026-03-20 07:43:35 -05:00 · 2023-02-27 08:49:52 -05:00
parent d4d2de92ec 2902b40084
commit 799ba3f518
13 changed files with 171 additions and 360 deletions
--- a/14
+++ b/14
@@ -210,19 +210,7 @@ uwsgi: collectstatic
 	@if [ "$(VENV_BASE)" ]; then \
 		. $(VENV_BASE)/awx/bin/activate; \
 	fi; \
-	uwsgi -b 32768 \
+	uwsgi /etc/tower/uwsgi.ini
 	    --socket 127.0.0.1:8050 \
 	    --module=awx.wsgi:application \
 	    --home=/var/lib/awx/venv/awx \
 	    --chdir=/awx_devel/ \
 	    --vacuum \
 	    --processes=5 \
 	    --harakiri=120 --master \
 	    --no-orphans \
 	    --max-requests=1000 \
 	    --stats /tmp/stats.socket \
 	    --lazy-apps \
 	    --logformat "%(addr) %(method) %(uri) - %(proto) %(status)"
 awx-autoreload:
 	@/awx_devel/tools/docker-compose/awx-autoreload /awx_devel/awx "$(DEV_RELOAD_COMMAND)"
--- a/awx/main/routing.py
+++ b/awx/main/routing.py
@@ -27,8 +27,8 @@ class AWXProtocolTypeRouter(ProtocolTypeRouter):
 websocket_urlpatterns = [
-    re_path(r'websocket/$', consumers.EventConsumer.as_asgi()),
+    re_path(r'websocket/', consumers.EventConsumer.as_asgi()),
-    re_path(r'websocket/relay/$', consumers.RelayConsumer.as_asgi()),
+    re_path(r'websocket/relay/', consumers.RelayConsumer.as_asgi()),
 ]
 application = AWXProtocolTypeRouter(
--- a/awx/playbooks/project_update.yml
+++ b/awx/playbooks/project_update.yml
@@ -25,47 +25,42 @@
  connection: local
  name: Update source tree if necessary
  tasks:
-    - name: Delete project directory before update
+
-      ansible.builtin.shell: set -o pipefail && find . -delete -print | head -2  # volume mounted, cannot delete folder itself
+    - name: delete project directory before update
-      register: reg
+      command: "find -delete"  # volume mounted, cannot delete folder itself
      changed_when: reg.stdout_lines | length > 1
      args:
        chdir: "{{ project_path }}"
      tags:
        - delete
-    - name: Update project using git
+    - block:
-      tags:
+        - name: update project using git
-        - update_git
+          git:
-      block:
+            dest: "{{project_path|quote}}"
-        - name: Update project using git
+            repo: "{{scm_url}}"
-          ansible.builtin.git:
+            version: "{{scm_branch|quote}}"
-            dest: "{{ project_path | quote }}"
+            refspec: "{{scm_refspec|default(omit)}}"
-            repo: "{{ scm_url }}"
+            force: "{{scm_clean}}"
-            version: "{{ scm_branch | quote }}"
+            track_submodules: "{{scm_track_submodules|default(omit)}}"
-            refspec: "{{ scm_refspec | default(omit) }}"
+            accept_hostkey: "{{scm_accept_hostkey|default(omit)}}"
            force: "{{ scm_clean }}"
            track_submodules: "{{ scm_track_submodules | default(omit) }}"
            accept_hostkey: "{{ scm_accept_hostkey | default(omit) }}"
          register: git_result
        - name: Set the git repository version
-          ansible.builtin.set_fact:
+          set_fact:
            scm_version: "{{ git_result['after'] }}"
          when: "'after' in git_result"
    - name: Update project using svn
      tags:
-        - update_svn
+        - update_git
-      block:
+
-        - name: Update project using svn
+    - block:
-          ansible.builtin.subversion:
+        - name: update project using svn
-            dest: "{{ project_path | quote }}"
+          subversion:
-            repo: "{{ scm_url | quote }}"
+            dest: "{{project_path|quote}}"
-            revision: "{{ scm_branch | quote }}"
+            repo: "{{scm_url|quote}}"
-            force: "{{ scm_clean }}"
+            revision: "{{scm_branch|quote}}"
-            username: "{{ scm_username | default(omit) }}"
+            force: "{{scm_clean}}"
-            password: "{{ scm_password | default(omit) }}"
+            username: "{{scm_username|default(omit)}}"
            password: "{{scm_password|default(omit)}}"
            # must be in_place because folder pre-existing, because it is mounted
            in_place: true
          environment:
@@ -73,90 +68,85 @@
          register: svn_result
        - name: Set the svn repository version
-          ansible.builtin.set_fact:
+          set_fact:
            scm_version: "{{ svn_result['after'] }}"
          when: "'after' in svn_result"
-        - name: Parse subversion version string properly
+        - name: parse subversion version string properly
-          ansible.builtin.set_fact:
+          set_fact:
-            scm_version: "{{ scm_version | regex_replace('^.*Revision: ([0-9]+).*$', '\\1') }}"
+            scm_version: "{{scm_version|regex_replace('^.*Revision: ([0-9]+).*$', '\\1')}}"
    - name: Project update for Insights
      tags:
-        - update_insights
+        - update_svn
-      block:
+
    - block:
        - name: Ensure the project directory is present
-          ansible.builtin.file:
+          file:
-            dest: "{{ project_path | quote }}"
+            dest: "{{project_path|quote}}"
            state: directory
            mode: '0755'
        - name: Fetch Insights Playbook(s)
          insights:
-            insights_url: "{{ insights_url }}"
+            insights_url: "{{insights_url}}"
-            username: "{{ scm_username }}"
+            username: "{{scm_username}}"
-            password: "{{ scm_password }}"
+            password: "{{scm_password}}"
-            project_path: "{{ project_path }}"
+            project_path: "{{project_path}}"
-            awx_license_type: "{{ awx_license_type }}"
+            awx_license_type: "{{awx_license_type}}"
-            awx_version: "{{ awx_version }}"
+            awx_version: "{{awx_version}}"
          register: results
        - name: Save Insights Version
-          ansible.builtin.set_fact:
+          set_fact:
-            scm_version: "{{ results.version }}"
+            scm_version: "{{results.version}}"
          when: results is defined
    - name: Update project using archive
      tags:
-        - update_archive
+        - update_insights
-      block:
+
    - block:
        - name: Ensure the project archive directory is present
-          ansible.builtin.file:
+          file:
-            dest: "{{ project_path | quote }}/.archive"
+            dest: "{{ project_path|quote }}/.archive"
            state: directory
            mode: '0755'
        - name: Get archive from url
-          ansible.builtin.get_url:
+          get_url:
-            url: "{{ scm_url | quote }}"
+            url: "{{ scm_url|quote }}"
-            dest: "{{ project_path | quote }}/.archive/"
+            dest: "{{ project_path|quote }}/.archive/"
-            url_username: "{{ scm_username | default(omit) }}"
+            url_username: "{{ scm_username|default(omit) }}"
-            url_password: "{{ scm_password | default(omit) }}"
+            url_password: "{{ scm_password|default(omit) }}"
            force_basic_auth: true
            mode: '0755'
          register: get_archive
        - name: Unpack archive
          project_archive:
            src: "{{ get_archive.dest }}"
-            project_path: "{{ project_path | quote }}"
+            project_path: "{{ project_path|quote }}"
            force: "{{ scm_clean }}"
          when: get_archive.changed or scm_clean
          register: unarchived
        - name: Find previous archives
-          ansible.builtin.find:
+          find:
-            paths: "{{ project_path | quote }}/.archive/"
+            paths: "{{ project_path|quote }}/.archive/"
            excludes:
-              - "{{ get_archive.dest | basename }}"
+              - "{{ get_archive.dest|basename }}"
          when: unarchived.changed
          register: previous_archive
        - name: Remove previous archives
-          ansible.builtin.file:
+          file:
            path: "{{ item.path }}"
            state: absent
          loop: "{{ previous_archive.files }}"
-          when: previous_archive.files | default([])
+          when: previous_archive.files|default([])
        - name: Set scm_version to archive sha1 checksum
-          ansible.builtin.set_fact:
+          set_fact:
            scm_version: "{{ get_archive.checksum_src }}"
      tags:
        - update_archive
    - name: Repository Version
-      ansible.builtin.debug:
+      debug:
        msg: "Repository Version {{ scm_version }}"
      tags:
        - update_git
@@ -193,59 +183,60 @@
    additional_collections_env:
      # These environment variables are used for installing collections, in addition to galaxy_task_env
      # setting the collections paths silences warnings
-      ANSIBLE_COLLECTIONS_PATHS: "{{ projects_root }}/.__awx_cache/{{ local_path }}/stage/requirements_collections"
+      ANSIBLE_COLLECTIONS_PATHS: "{{projects_root}}/.__awx_cache/{{local_path}}/stage/requirements_collections"
      # Put the local tmp directory in same volume as collection destination
      # otherwise, files cannot be moved accross volumes and will cause error
-      ANSIBLE_LOCAL_TEMP: "{{ projects_root }}/.__awx_cache/{{ local_path }}/stage/tmp"
+      ANSIBLE_LOCAL_TEMP: "{{projects_root}}/.__awx_cache/{{local_path}}/stage/tmp"
  tasks:
    - name: Check content sync settings
      when: not roles_enabled | bool and not collections_enabled | bool
      tags:
        - install_roles
        - install_collections
      block:
-        - name: Warn about disabled content sync
+        - debug:
          ansible.builtin.debug:
            msg: >
              Collection and role syncing disabled. Check the AWX_ROLES_ENABLED and
              AWX_COLLECTIONS_ENABLED settings and Galaxy credentials on the project's organization.
        - name: End play due to disabled content sync
          ansible.builtin.meta: end_play
-    - name: Fetch galaxy roles from requirements.(yml/yaml)
+        - meta: end_play
-      ansible.builtin.command: >
+
      when: not roles_enabled|bool and not collections_enabled|bool
      tags:
        - install_roles
        - install_collections
    - name: fetch galaxy roles from requirements.(yml/yaml)
      command: >
        ansible-galaxy role install -r {{ item }}
-        --roles-path {{ projects_root }}/.__awx_cache/{{ local_path }}/stage/requirements_roles
+        --roles-path {{projects_root}}/.__awx_cache/{{local_path}}/stage/requirements_roles
        {{ ' -' + 'v' * ansible_verbosity if ansible_verbosity else '' }}
      args:
-        chdir: "{{ project_path | quote }}"
+        chdir: "{{project_path|quote}}"
      register: galaxy_result
      with_fileglob:
-        - "{{ project_path | quote }}/roles/requirements.yaml"
+        - "{{project_path|quote}}/roles/requirements.yaml"
-        - "{{ project_path | quote }}/roles/requirements.yml"
+        - "{{project_path|quote}}/roles/requirements.yml"
      changed_when: "'was installed successfully' in galaxy_result.stdout"
      environment: "{{ galaxy_task_env }}"
-      when: roles_enabled | bool
+      when: roles_enabled|bool
      tags:
        - install_roles
-    - name: Fetch galaxy collections from collections/requirements.(yml/yaml)
+    - name: fetch galaxy collections from collections/requirements.(yml/yaml)
-      ansible.builtin.command: >
+      command: >
        ansible-galaxy collection install -r {{ item }}
-        --collections-path {{ projects_root }}/.__awx_cache/{{ local_path }}/stage/requirements_collections
+        --collections-path {{projects_root}}/.__awx_cache/{{local_path}}/stage/requirements_collections
        {{ ' -' + 'v' * ansible_verbosity if ansible_verbosity else '' }}
      args:
-        chdir: "{{ project_path | quote }}"
+        chdir: "{{project_path|quote}}"
      register: galaxy_collection_result
      with_fileglob:
-        - "{{ project_path | quote }}/collections/requirements.yaml"
+        - "{{project_path|quote}}/collections/requirements.yaml"
-        - "{{ project_path | quote }}/collections/requirements.yml"
+        - "{{project_path|quote}}/collections/requirements.yml"
-        - "{{ project_path | quote }}/requirements.yaml"
+        - "{{project_path|quote}}/requirements.yaml"
-        - "{{ project_path | quote }}/requirements.yml"
+        - "{{project_path|quote}}/requirements.yml"
      changed_when: "'Installing ' in galaxy_collection_result.stdout"
      environment: "{{ additional_collections_env | combine(galaxy_task_env) }}"
      when:
        - "ansible_version.full is version_compare('2.9', '>=')"
-        - collections_enabled | bool
+        - collections_enabled|bool
      tags:
        - install_collections
--- a/tools/ansible/roles/dockerfile/templates/Dockerfile.j2
+++ b/tools/ansible/roles/dockerfile/templates/Dockerfile.j2
@@ -197,12 +197,11 @@ RUN mkdir -p /etc/containers/registries.conf.d/ && echo "unqualified-search-regi
 ADD tools/ansible/roles/dockerfile/files/wait-for-migrations /usr/local/bin/wait-for-migrations
 ADD tools/ansible/roles/dockerfile/files/stop-supervisor /usr/local/bin/stop-supervisor
 ADD tools/ansible/roles/dockerfile/files/uwsgi.ini /etc/tower/uwsgi.ini
 ## File mappings
 {% if build_dev|bool %}
 ADD tools/docker-compose/launch_awx.sh /usr/bin/launch_awx.sh
 ADD tools/docker-compose/nginx.conf /etc/nginx/nginx.conf
 ADD tools/docker-compose/nginx.vh.default.conf /etc/nginx/conf.d/nginx.vh.default.conf
 ADD tools/docker-compose/start_tests.sh /start_tests.sh
 ADD tools/docker-compose/bootstrap_development.sh /usr/bin/bootstrap_development.sh
 ADD tools/docker-compose/entrypoint.sh /entrypoint.sh
@@ -212,8 +211,6 @@ ADD https://raw.githubusercontent.com/containers/libpod/master/contrib/podmanima
 {% else %}
 ADD tools/ansible/roles/dockerfile/files/launch_awx.sh /usr/bin/launch_awx.sh
 ADD tools/ansible/roles/dockerfile/files/launch_awx_task.sh /usr/bin/launch_awx_task.sh
 ADD tools/ansible/roles/dockerfile/files/launch_awx_rsyslog.sh /usr/bin/launch_awx_rsyslog.sh
 ADD tools/ansible/roles/dockerfile/files/uwsgi.ini /etc/tower/uwsgi.ini
 ADD {{ template_dest }}/supervisor.conf /etc/supervisord.conf
 ADD {{ template_dest }}/supervisor_task.conf /etc/supervisord_task.conf
 ADD {{ template_dest }}/supervisor_rsyslog.conf /etc/supervisor_rsyslog.conf
--- a/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2
+++ b/tools/ansible/roles/dockerfile/templates/supervisor.conf.j2
@@ -29,8 +29,8 @@ environment =
    DEV_RELOAD_COMMAND='supervisorctl -c /etc/supervisord_task.conf restart all; supervisorctl restart tower-processes:daphne'
 {% else %}
 command = /var/lib/awx/venv/awx/bin/uwsgi /etc/tower/uwsgi.ini
 directory = /var/lib/awx
 {% endif %}
 directory = /var/lib/awx
 autorestart = true
 startsecs = 30
 stopasgroup=true
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@@ -9,6 +9,7 @@ control_plane_node_count: 1
 minikube_container_group: false
 receptor_socket_file: /var/run/awx-receptor/receptor.sock
 receptor_image: quay.io/ansible/receptor:devel
 ingress_path: /
 # Keys for signing work
 receptor_rsa_bits: 4096
--- a/tools/docker-compose/ansible/roles/sources/tasks/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/tasks/main.yml
@@ -49,18 +49,11 @@
    mode: '0600'
  with_items:
    - "database.py"
    - "local_settings.py"
    - "websocket_secret.py"
    - "haproxy.cfg"
-
+    - "nginx.conf"
- name: Delete old local_settings.py
+    - "nginx.locations.conf"
  file:
    path: "{{ playbook_dir }}/../../../awx/settings/local_settings.py"
    state: absent
 - name: Copy local_settings.py
  copy:
    src: "local_settings.py"
    dest: "{{ sources_dest }}/local_settings.py"
 - name: Get OS info for sdb
  shell: |
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@@ -24,6 +24,7 @@ services:
      EXECUTION_NODE_COUNT: {{ execution_node_count|int }}
      AWX_LOGGING_MODE: stdout
      DJANGO_SUPERUSER_PASSWORD: {{ admin_password }}
      UWSGI_MOUNT_PATH: {{ ingress_path }}
 {% if loop.index == 1 %}
      RUN_MIGRATIONS: 1
 {% endif %}
@@ -40,6 +41,8 @@ services:
      - "../../docker-compose/_sources/database.py:/etc/tower/conf.d/database.py"
      - "../../docker-compose/_sources/websocket_secret.py:/etc/tower/conf.d/websocket_secret.py"
      - "../../docker-compose/_sources/local_settings.py:/etc/tower/conf.d/local_settings.py"
      - "../../docker-compose/_sources/nginx.conf:/etc/nginx/nginx.conf"
      - "../../docker-compose/_sources/nginx.locations.conf:/etc/nginx/conf.d/nginx.locations.conf"
      - "../../docker-compose/_sources/SECRET_KEY:/etc/tower/SECRET_KEY"
      - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf:/etc/receptor/receptor.conf"
      - "../../docker-compose/_sources/receptor/receptor-awx-{{ loop.index }}.conf.lock:/etc/receptor/receptor.conf.lock"
--- a/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/local_settings.py.j2
@@ -46,3 +46,5 @@ SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'
 BROADCAST_WEBSOCKET_PORT = 8013
 BROADCAST_WEBSOCKET_VERIFY_CERT = False
 BROADCAST_WEBSOCKET_PROTOCOL = 'http'
 STATIC_URL = '{{ (ingress_path + '/static/').replace('//', '/') }}'
--- a/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.conf.j2
@@ -1,8 +1,7 @@
 #user awx;
 worker_processes  1;
-pid        /tmp/nginx.pid;
+error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 events {
    worker_connections  1024;
@@ -17,7 +16,7 @@ http {
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log /dev/stdout main;
+    access_log  /var/log/nginx/access.log  main;
    map $http_upgrade $connection_upgrade {
        default upgrade;
@@ -25,41 +24,17 @@ http {
    }
    sendfile        on;
    #tcp_nopush     on;
    #gzip  on;
    upstream uwsgi {
-        server 127.0.0.1:8050;
+        server localhost:8050;
-        }
+    }
    upstream daphne {
-        server 127.0.0.1:8051;
+        server localhost:8051;
    }
    {% if ssl_certificate is defined %}
    server {
-        listen 8052 default_server;
+        listen 8013 default_server;
        server_name _;
        # Redirect all HTTP links to the matching HTTPS page
        return 301 https://$host$request_uri;
    }
    {%endif %}
    server {
        {% if (ssl_certificate is defined) and (ssl_certificate_key is defined) %}
        listen 8053 ssl;
        ssl_certificate /etc/nginx/awxweb.pem;
        ssl_certificate_key /etc/nginx/awxweb_key.pem;
        {% elif (ssl_certificate is defined) and (ssl_certificate_key is not defined) %}
        listen 8053 ssl;
        ssl_certificate /etc/nginx/awxweb.pem;
        ssl_certificate_key /etc/nginx/awxweb.pem;
        {% else %}
        listen 8052 default_server;
        {% endif %}
        # If you have a domain name, this is where to add it
        server_name _;
@@ -67,56 +42,35 @@ http {
        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;
        add_header X-Content-Type-Options nosniff;
-        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+        include /etc/nginx/conf.d/*.conf;
-        add_header X-Frame-Options "DENY";
+    }
-        location /nginx_status {
+    server {
-          stub_status on;
+        listen 8043 default_server ssl;
          access_log off;
          allow 127.0.0.1;
          deny all;
        }
-        location /static/ {
+        # If you have a domain name, this is where to add it
-            alias /var/lib/awx/public/static/;
+        server_name _;
-        }
+        keepalive_timeout 65;
-        location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
+        ssl_certificate /etc/nginx/nginx.crt;
        ssl_certificate_key /etc/nginx/nginx.key;
-        location /websocket {
+        ssl_session_timeout 1d;
-            # Pass request to the upstream alias
+        ssl_session_cache shared:SSL:50m;
-            proxy_pass http://daphne;
+        ssl_session_tickets off;
            # Require http version 1.1 to allow for upgrade requests
            proxy_http_version 1.1;
            # We want proxy_buffering off for proxying to websockets.
            proxy_buffering off;
            # http://en.wikipedia.org/wiki/X-Forwarded-For
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # enable this if you use HTTPS:
            proxy_set_header X-Forwarded-Proto https;
            # pass the Host: header from the client for the sake of redirects
            proxy_set_header Host $http_host;
            # We've set the Host header, so we don't need Nginx to muddle
            # about with redirects
            proxy_redirect off;
            # Depending on the request value, set the Upgrade and
            # connection headers
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
-        location / {
+        # intermediate configuration. tweak to your needs.
-            # Add trailing / if missing
+        ssl_protocols TLSv1.2;
-            rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
+        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-            uwsgi_read_timeout 120s;
+        ssl_prefer_server_ciphers on;
-            uwsgi_pass uwsgi;
+
-            include /etc/nginx/uwsgi_params;
+        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-            {%- if extra_nginx_include is defined %}
+        add_header Strict-Transport-Security max-age=15768000;
-            include {{ extra_nginx_include }};
+        add_header X-Content-Type-Options nosniff;
-            {%- endif %}
+
-            proxy_set_header X-Forwarded-Port 443;
+
-            uwsgi_param HTTP_X_FORWARDED_PORT 443;
+        include /etc/nginx/conf.d/*.conf;
        }
    }
 }
--- a/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/nginx.locations.conf.j2
@@ -0,0 +1,37 @@
 location {{ (ingress_path + '/static').replace('//', '/') }} {
    alias /var/lib/awx/public/static/;
 }
 location {{ (ingress_path + '/favicon.ico').replace('//', '/') }} {
    alias /awx_devel/awx/public/static/favicon.ico;
 }
 location {{ (ingress_path + '/websocket').replace('//', '/') }} {
    # Pass request to the upstream alias
    proxy_pass http://daphne;
    # Require http version 1.1 to allow for upgrade requests
    proxy_http_version 1.1;
    # We want proxy_buffering off for proxying to websockets.
    proxy_buffering off;
    # http://en.wikipedia.org/wiki/X-Forwarded-For
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # enable this if you use HTTPS:
    proxy_set_header X-Forwarded-Proto https;
    # pass the Host: header from the client for the sake of redirects
    proxy_set_header Host $http_host;
    # We've set the Host header, so we don't need Nginx to muddle
    # about with redirects
    proxy_redirect off;
    # Depending on the request value, set the Upgrade and
    # connection headers
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
 }
 location {{ ingress_path }} {
    # Add trailing / if missing
    rewrite ^(.*[^/])$ $1/ permanent;
    uwsgi_read_timeout 120s;
    uwsgi_pass uwsgi;
    include /etc/nginx/uwsgi_params;
 }
--- a/tools/docker-compose/nginx.conf
+++ b/tools/docker-compose/nginx.conf
@@ -1,31 +0,0 @@
 worker_processes  1;
 error_log  /var/log/nginx/error.log warn;
 pid        /var/run/nginx.pid;
 events {
    worker_connections  1024;
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
    sendfile        on;
    #tcp_nopush     on;
    #gzip  on;
    include /etc/nginx/conf.d/*.conf;
 }
--- a/tools/docker-compose/nginx.vh.default.conf
+++ b/tools/docker-compose/nginx.vh.default.conf
@@ -1,124 +0,0 @@
 upstream uwsgi {
    server localhost:8050;
 }
 upstream daphne {
    server localhost:8051;
 }
 # server {
 #     listen 8013 default_server;
 #     listen [::]:8013 default_server;
 #     server_name _;
 #     return 301 https://$host:8043$request_uri;
 # }
 server {
    listen 8013 default_server;
    # If you have a domain name, this is where to add it
    server_name _;
    keepalive_timeout 65;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;
    add_header X-Content-Type-Options nosniff;
    location /static/ {
        alias /var/lib/awx/public/static/;
    }
    location /favicon.ico { alias /awx_devel/awx/public/static/favicon.ico; }
    location ~ ^/websocket {
        # Pass request to the upstream alias
        proxy_pass http://daphne;
        # Require http version 1.1 to allow for upgrade requests
        proxy_http_version 1.1;
        # We want proxy_buffering off for proxying to websockets.
        proxy_buffering off;
        # http://en.wikipedia.org/wiki/X-Forwarded-For
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # enable this if you use HTTPS:
        proxy_set_header X-Forwarded-Proto https;
        # pass the Host: header from the client for the sake of redirects
        proxy_set_header Host $http_host;
        # We've set the Host header, so we don't need Nginx to muddle
        # about with redirects
        proxy_redirect off;
        # Depending on the request value, set the Upgrade and
        # connection headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    location / {
        # Add trailing / if missing
        rewrite ^(.*[^/])$ $1/ permanent;
        uwsgi_read_timeout 120s;
        uwsgi_pass uwsgi;
        include /etc/nginx/uwsgi_params;
    }
 }
 server {
    listen 8043 default_server ssl;
    # If you have a domain name, this is where to add it
    server_name _;
    keepalive_timeout 65;
    ssl_certificate /etc/nginx/nginx.crt;
    ssl_certificate_key /etc/nginx/nginx.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;
    add_header X-Content-Type-Options nosniff;
    location /static/ {
        alias /var/lib/awx/public/static/;
        access_log off;
        sendfile off;
    }
    location /favicon.ico { alias /awx_devel/awx/public/static/favicon.ico; }
    location ~ ^/websocket {
        # Pass request to the upstream alias
        proxy_pass http://daphne;
        # Require http version 1.1 to allow for upgrade requests
        proxy_http_version 1.1;
        # We want proxy_buffering off for proxying to websockets.
        proxy_buffering off;
        # http://en.wikipedia.org/wiki/X-Forwarded-For
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # enable this if you use HTTPS:
        proxy_set_header X-Forwarded-Proto https;
        # pass the Host: header from the client for the sake of redirects
        proxy_set_header Host $http_host;
        # We've set the Host header, so we don't need Nginx to muddle
        # about with redirects
        proxy_redirect off;
        # Depending on the request value, set the Upgrade and
        # connection headers
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
    location / {
        # Add trailing / if missing
        rewrite ^(.*[^/])$ $1/ permanent;
        uwsgi_read_timeout 120s;
        uwsgi_pass uwsgi;
        include /etc/nginx/uwsgi_params;
    }
 }