From 579df6e215b315cace676acb8e6a945810f1449b Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 7 Oct 2016 10:47:15 -0400 Subject: [PATCH 1/4] new configuration files for uwsgi/daphne --- config/awx-nginx-80.conf | 73 +++++++++++++++++++++++++++++++++++ config/uwsgi_params | 17 ++++++++ requirements/requirements.txt | 3 +- 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 config/awx-nginx-80.conf create mode 100644 config/uwsgi_params diff --git a/config/awx-nginx-80.conf b/config/awx-nginx-80.conf new file mode 100644 index 0000000000..facaeae181 --- /dev/null +++ b/config/awx-nginx-80.conf @@ -0,0 +1,73 @@ +worker_processes auto; + +# Enable upgrading of connection (and websocket proxying) depending on the +# presence of the upgrade field in the client request header +map \$http_upgrade \$connection_upgrade { +default upgrade; +'' close; +} + +# Create an upstream alias to where we've set daphne to bind to +upstream uwsgi { + server 127.0.0.1:8050; +} + +upstream daphne { + server 127.0.0.1:8051; +} + +http { + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + server { + listen 80; + listen 443 ssl; + + # If you have a domain name, this is where to add it + server_name localhost *; + keepalive_timeout 70; + + ssl_certificate /etc/tower/tower.crt; + ssl_certificate_key /etc/tower/tower.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + + location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; } + location /static { alias /var/lib/awx/public/static; } + + location /websocket { + # Pass request to the upstream alias + proxy_pass http://daphne; + # Require http version 1.1 to allow for upgrade requests + proxy_http_version 1.1; + # We want proxy_buffering off for proxying to websockets. + proxy_buffering off; + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # enable this if you use HTTPS: + proxy_set_header X-Forwarded-Proto https; + # pass the Host: header from the client for the sake of redirects + proxy_set_header Host $http_host; + # We've set the Host header, so we don't need Nginx to muddle + # about with redirects + proxy_redirect off; + # Depending on the request value, set the Upgrade and + # connection headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + location / { + proxy_pass http://uwsgi; + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + } +} diff --git a/config/uwsgi_params b/config/uwsgi_params new file mode 100644 index 0000000000..09c732cd68 --- /dev/null +++ b/config/uwsgi_params @@ -0,0 +1,17 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/requirements/requirements.txt b/requirements/requirements.txt index c2effa3802..be4e9117a0 100644 --- a/requirements/requirements.txt +++ b/requirements/requirements.txt @@ -134,4 +134,5 @@ wsgiref==0.1.2 xmltodict==0.9.2 channels==0.17.2 asgi_amqp==0.3 - +uwsgi==2.0.14 +daphne==0.15.0 From c64392eb676da42ef151a577d0379991b51d99e6 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 7 Oct 2016 10:50:30 -0400 Subject: [PATCH 2/4] removing old apache, renaming nginx config --- config/awx-httpd-443.conf | 50 -------------------- config/awx-httpd-80.conf | 49 ------------------- config/{awx-nginx-80.conf => awx-nginx.conf} | 0 3 files changed, 99 deletions(-) delete mode 100644 config/awx-httpd-443.conf delete mode 100644 config/awx-httpd-80.conf rename config/{awx-nginx-80.conf => awx-nginx.conf} (100%) diff --git a/config/awx-httpd-443.conf b/config/awx-httpd-443.conf deleted file mode 100644 index 2266f042c6..0000000000 --- a/config/awx-httpd-443.conf +++ /dev/null @@ -1,50 +0,0 @@ -NameVirtualHost *:443 -WSGISocketPrefix /var/run/wsgi -WSGIPythonHome /var/lib/awx/venv/tower - -# LoadModule ssl_module modules/mod_ssl.so - - - ServerName localhost - ServerAlias * - DocumentRoot /var/lib/awx/public - SSLEngine on -# This certificate can be replaced. -# However, do not use a different name for, or path to, the SSL certificate. -# Tower's live events feature requires the SSL certificate to be in this location. - SSLCertificateFile /etc/tower/tower.cert - SSLCertificateKeyFile /etc/tower/tower.key - SSLProtocol all -SSLv3 -SSLv2 - - WSGIScriptAlias / /var/lib/awx/wsgi.py - WSGIPassAuthorization On - - WSGIDaemonProcess awx user=awx group=awx processes=2 threads=20 maximum-requests=1000 display-name="%{GROUP}" - WSGIProcessGroup awx - - Alias /favicon.ico /var/lib/awx/public/static/favicon.ico - Alias /static/ /var/lib/awx/public/static/ - - - - = 2.3> - Require all granted - - - Order deny,allow - Allow from all - - - - - - = 2.3> - Require all granted - - - Order deny,allow - Allow from all - - - - diff --git a/config/awx-httpd-80.conf b/config/awx-httpd-80.conf deleted file mode 100644 index f1390fead3..0000000000 --- a/config/awx-httpd-80.conf +++ /dev/null @@ -1,49 +0,0 @@ -WSGISocketPrefix /var/run/wsgi -WSGIPythonHome /var/lib/awx/venv/tower - - - - RewriteEngine On - # don't redirect HTTPs - RewriteCond %{HTTPS} off - # don't redirect /api traffic that requested explicit http:// - RewriteRule ^/api - [L] - RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} - - ServerName localhost - ServerAlias * - DocumentRoot /var/lib/awx/public - - WSGIScriptAlias / /var/lib/awx/wsgi.py - WSGIPassAuthorization On - - WSGIDaemonProcess awx_plain user=awx group=awx processes=2 threads=20 maximum-requests=1000 display-name="%{GROUP}" - WSGIProcessGroup awx_plain - - Alias /favicon.ico /var/lib/awx/public/static/favicon.ico - Alias /static/ /var/lib/awx/public/static/ - - - - = 2.3> - Require all granted - - - Order deny,allow - Allow from all - - - - - - = 2.3> - Require all granted - - - Order deny,allow - Allow from all - - - - - diff --git a/config/awx-nginx-80.conf b/config/awx-nginx.conf similarity index 100% rename from config/awx-nginx-80.conf rename to config/awx-nginx.conf From e4e878d0414067f8971c407b90f3f62a64204412 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 7 Oct 2016 14:41:34 -0400 Subject: [PATCH 3/4] copy nginx config and uwsgi_params --- config/awx-nginx.conf | 21 ++++++++++++--------- setup.py | 10 ++++++---- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf index facaeae181..b883bc56f5 100644 --- a/config/awx-nginx.conf +++ b/config/awx-nginx.conf @@ -59,15 +59,18 @@ http { } location / { - proxy_pass http://uwsgi; - proxy_http_version 1.1; - proxy_buffering off; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $http_host; - proxy_redirect off; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + uwsgi_pass uwsgi; + include /etc/nginx/uwsgi_params; + + #proxy_pass http://uwsgi; + #proxy_http_version 1.1; + #proxy_buffering off; + #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + #proxy_set_header X-Forwarded-Proto https; + #proxy_set_header Host $http_host; + #proxy_redirect off; + #proxy_set_header Upgrade $http_upgrade; + #proxy_set_header Connection $connection_upgrade; } } } diff --git a/setup.py b/setup.py index e6e25d4eec..bddc6f0645 100755 --- a/setup.py +++ b/setup.py @@ -25,14 +25,16 @@ docdir = "/usr/share/doc/ansible-tower" if os.path.exists("/etc/debian_version"): sysinit = "/etc/init.d" - webconfig = "/etc/apache2/conf.d" + webconfig = "/etc/nginx" + siteconfig = "/etc/nginx/sites-enabled" # sosreport-3.1 (and newer) look in '/usr/share/sosreport/sos/plugins' # sosreport-3.0 looks in '/usr/lib/python2.7/dist-packages/sos/plugins' # debian/.links will create symlinks to support both versions sosconfig = "/usr/share/sosreport/sos/plugins" else: sysinit = "/etc/rc.d/init.d" - webconfig = "/etc/httpd/conf.d" + webconfig = "/etc/nginx" + siteconfig = "/etc/nginx/sites-enabled" # The .spec will create symlinks to support multiple versions of sosreport sosconfig = "/usr/share/sosreport/sos/plugins" @@ -114,8 +116,8 @@ setup( data_files = proc_data_files([ ("%s" % homedir, ["config/wsgi.py", "awx/static/favicon.ico"]), - ("%s" % webconfig, ["config/awx-httpd-80.conf", - "config/awx-httpd-443.conf"]), + ("%s" % siteconfig, ["config/awx-nginx.conf"]), + ("%s" % webconfig, ["config/uwsgi_params"]), ("%s" % sharedir, ["tools/scripts/request_tower_configuration.sh","tools/scripts/request_tower_configuration.ps1"]), ("%s" % docdir, ["docs/licenses/*",]), ("%s" % bindir, ["tools/scripts/ansible-tower-service", From 0c7014eacbe271ed3da877310d75950394ac7153 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Fri, 14 Oct 2016 13:38:09 -0400 Subject: [PATCH 4/4] nginx config fixes --- config/awx-nginx.conf | 66 +++++++++++++++++++++++++------------------ 1 file changed, 38 insertions(+), 28 deletions(-) diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf index b883bc56f5..6089cb7a3c 100644 --- a/config/awx-nginx.conf +++ b/config/awx-nginx.conf @@ -1,31 +1,51 @@ -worker_processes auto; +worker_processes auto; -# Enable upgrading of connection (and websocket proxying) depending on the -# presence of the upgrade field in the client request header -map \$http_upgrade \$connection_upgrade { -default upgrade; -'' close; -} - -# Create an upstream alias to where we've set daphne to bind to -upstream uwsgi { - server 127.0.0.1:8050; -} +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; -upstream daphne { - server 127.0.0.1:8051; +events { + worker_connections 1024; } http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + sendfile on; + #tcp_nopush on; + ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; + keepalive_timeout 65; + + #gzip on; + + upstream uwsgi { + server 127.0.0.1:8050; + } + + upstream daphne { + server 127.0.0.1:8051; + } + server { - listen 80; - listen 443 ssl; + listen 80 default_server; + listen 443 default_server ssl; # If you have a domain name, this is where to add it - server_name localhost *; + server_name _; keepalive_timeout 70; ssl_certificate /etc/tower/tower.crt; @@ -59,18 +79,8 @@ http { } location / { - uwsgi_pass uwsgi; include /etc/nginx/uwsgi_params; - - #proxy_pass http://uwsgi; - #proxy_http_version 1.1; - #proxy_buffering off; - #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - #proxy_set_header X-Forwarded-Proto https; - #proxy_set_header Host $http_host; - #proxy_redirect off; - #proxy_set_header Upgrade $http_upgrade; - #proxy_set_header Connection $connection_upgrade; + uwsgi_pass uwsgi; } } }