Hello guys:
I’ve just downloaded the latest AWX version today (6.1.0 if I remember correctly). What’s the official or recommended way to setup HTTPS on AWX?
I’ve tried to change ssl_certificate variable within inventory file, but without any luck. As per this thread…
https://github.com/ansible/awx/pull/3604
It seems there isn’t yet an “official way” to make this setup. Should I instead edit nginx.conf file directly in awx_web container?
Hope someone can help me. Thanks in advance
Hello Angel,
Unfortunately, the AWX GUI does not come with SSL protection by default. You would need to modify the nginx.conf file for SSL support.
You may follow below steps to enable HTTPS in AWX:
[root@awx installer]# cat inventory |grep host_port #host_port=80 host_port=443 [root@awx installer]# ansible-playbook install.yml
Once AWX is installed and docker containers are up and running, go inside the awx_web container and create a directory for SSL certificates:
[root@awx installer]# docker exec -it awx_web /bin/bash bash-4.2# cd /etc/nginx/ bash-4.2# mkdir certs bash-4.2# cd certs/
Generate SSL certificates using openssl command:
`
bash-4.2# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
bash-4.2# openssl rsa -in server.key -out server.key
writing RSA key
bash-4.2# openssl req -sha256 -new -key server.key -out server.csr -subj ‘/CN=awx’
bash-4.2# openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/CN=awx
Getting Private key
bash-4.2# ls -l
total 12
-rw-r–r-- 1 root root 960 Jul 26 06:49 server.crt
-rw-r–r-- 1 root root 883 Jul 26 06:48 server.csr
-rw-r–r-- 1 root root 1675 Jul 26 06:48 server.key
`
server{ server_name: awx ssl_certificate /etc/nginx/certs/server.crt; ssl_certificate_key /etc/nginx/certs/server.key; ssl on; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5
[root@awx installer]# docker restart awx_web
On performing the above steps successfully you should be able to access AWX on HTTPS.
Thanks,
Shivharsh
No need to enter the containers & modify them; this can all be done by building one’s own container. In the installer/inventory file:
dockerhub_base=ansible cd installer ansible-playbook install.yml Ansible will run, building your own custom images with your SSL certificate, and once done, start them up using Docker Compose.
No need to edit an existing cert or anything like that, and if you wish to customize the NGINX config, you can do that, and then re-run the build, and it will be included.
You’ll likely wish to set the docker_registry_repository & docker_registry_username inventory variables to something that allows you to publish these images for later use in a production environment.
Sorry for the long delay. Thanks a lot for your answers.
I’ve actually edited my inventory file to:
ssl_certificate=/path/to/my/cert.pem
After I run the install.yml, it mounts my /path/to/my/cert.pem as a volume to the awx_web container. Inside such container I’m able to see the correct SSL certificate as /etc/nginx/awxweb.pem. However, /etc/nginx/nginx.conf is not configured with SSL nor it isn’t pointing to my SSL certificate. Sure, I can edit nginx.conf to add ssl support with my cert, but I wonder if this is the “official or supported” way to do it. Maybe I’m missing something on my inventory setup which would allow me to skip such manual configuration of my nginx service.
hi!
I'm not good at English, so excuse me in simple English.
I did this way.
Fix /root/awx/installer/inventory
ssl_certificate = my.crt
ssl_certificate_key = my.key
Fixed some sources for passing keys to containers
roles/local_docker/templates/docker-compose.yml.j2
web:
image: {{awx_web_docker_actual_image}}
container_name: awx_web
<snip>
volumes:
\-"\{\{docker\_compose\_dir\}\}/SECRET\_KEY: /etc/tower/SECRET\_KEY"
\-"\{\{docker\_compose\_dir\}\}/environment\.sh: /etc/tower/conf\.d/environment\.sh"
\-"\{\{docker\_compose\_dir\}\}/credentials\.py: /etc/tower/conf\.d/credentials\.py"
Add this ---->-"{{docker_compose_dir}}/nginx.conf: /etc/nginx/nginx.conf"
<snip>
\{% if ssl\_certificate is defined%\}
\-"\{\{ssl\_certificate \+ ': /etc/nginx/awxweb\.pem: ro'\}\}"
Add this ---->-"{{ssl_certificate_key + ': /etc/nginx/awxweb.key: ro'}}"
{% endif%}
Since there is a bug that does not expand nginx.conf.j2, the attached file is placed in /tmp/awxcompose/nginx.conf
Change secret_key temporarily
/root/awx/installer/inventory
<snip>
secret_key = awxsecret can be rewritten appropriately to be "" "
Reinstall AWX (remake container)
ansible-playbook -i inventory install.yml
If it completes successfully, it will be automatically rewritten to https: // when you access http: //my_host/.
nginx.conf.txt (4.23 KB)
To do this, you should build your own images for awx_task and awx_web. See https://github.com/ansible/awx/blob/devel/INSTALL.md#official-vs-building-images
The actual command to build your own images is:
ansible-playbook -i inventory build.yml
Building your own images will take care of copying the file specified in the ssl_certificate variable, and configure nginx.
After you run the build playbook, you still need to run the install playbook:
ansible-playbook -i inventory install.yml
(The above worked for me. I used docker-compose as my deployment platform.)
Thank you all, I already solved this by following Jeff Byernes’ recommendation. All I needed to do is to change the following in my inventory file:
Step 1 was required by install.yml (at line 6) which includes image_build role only if dockerhub_base is not defined
Step 2 is more obvious. The only important thing here is to combine the certificate and private key file in my /path/to/my/cert.pem file. There’s no need to hack any file for including a separate ssh_certificate_key directive anywhere
After running the install.yml playbook again (and wait for some minutes) everything worked as expected.
Thanks again everyone