Merge pull request #3604 from athenahealth/complete-ssl-support

Update SSL support for docker-compose install

Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]

INSTALL.md

@@ -443,6 +443,10 @@ Before starting the build process, review the [inventory](./installer/inventory)
 
 > Provide a port number that can be mapped from the Docker daemon host to the web server running inside the AWX container. Defaults to *80*.
 
+*host_port_ssl*
+
+> Provide a port number that can be mapped from the Docker daemon host to the web server running inside the AWX container for SSL support. Defaults to *443*, only works if you also set `ssl_certificate` (see below).
+
 *ssl_certificate*
 
 > Optionally, provide the path to a file that contains a certificate and its private key.

installer/inventory

@@ -53,6 +53,7 @@ awx_task_hostname=awx
 awx_web_hostname=awxweb
 postgres_data_dir=/tmp/pgdocker
 host_port=80
+host_port_ssl=443
 #ssl_certificate=
 docker_compose_dir=/tmp/awxcompose
 

installer/roles/image_build/templates/nginx.conf.j2

@@ -35,9 +35,19 @@ http {
         server 127.0.0.1:8051;
     }
 
+    {% if ssl_certificate is defined %}
+    server {
+        listen 8052 default_server;
+        server_name _;
+
+        # Redirect all HTTP links to the matching HTTPS page
+        return 301 https://$host$request_uri;
+    }
+    {%endif %}
+
     server {
         {% if ssl_certificate is defined %}
-        listen 8052 ssl default_server;
+        listen 8053 ssl;
 
         ssl_certificate /etc/nginx/awxweb.pem;
         ssl_certificate_key /etc/nginx/awxweb.pem;
@@ -54,14 +64,14 @@ http {
 
         # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
         add_header X-Frame-Options "DENY";
-        
+
         location /nginx_status {
           stub_status on;
           access_log off;
           allow 127.0.0.1;
           deny all;
         }
-        
+
         location /static/ {
             alias /var/lib/awx/public/static/;
         }

installer/roles/local_docker/templates/docker-compose.yml.j2

@@ -12,6 +12,9 @@ services:
       - postgres
       {% endif %}
     ports:
+      {% if ssl_certificate is defined %}
+      - "{{ host_port_ssl }}:8053"
+      {% endif %}
       - "{{ host_port }}:8052"
     hostname: {{ awx_web_hostname }}
     user: root
@@ -26,6 +29,9 @@ services:
     {% if ca_trust_dir is defined %}
       - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}"
     {% endif %}
+    {% if ssl_certificate is defined %}
+      - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}"
+    {% endif %}
     {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %}
     {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %}
     dns_search:
@@ -72,6 +78,9 @@ services:
     {% if ca_trust_dir is defined %}
       - "{{ ca_trust_dir +':/etc/pki/ca-trust/source/anchors:ro' }}"
     {% endif %}
+    {% if ssl_certificate is defined %}
+      - "{{ ssl_certificate +':/etc/nginx/awxweb.pem:ro' }}"
+    {% endif %}
     {% if (awx_container_search_domains is defined) and (',' in awx_container_search_domains) %}
     {% set awx_container_search_domains_list = awx_container_search_domains.split(',') %}
     dns_search: