Hi All,
I am attempting to install AWX and have it run with our own SSL certificate. I have a (PEM) certificate file and a private key. However, whilst I can see the line in the inventory file to specify the ssl_certificate, I do not see anywhere to specify the private key.
Please advise how to install the latest AWX with my own SSL certificate?
Many thanks.
Hi Adam
I'll write it using google translation
If you can read Japanese or use google translation, please read this page.
https://qiita.com/nakacya/items/e17580fb0d94cd4ac6ed
Now, please try the following contents.
-Added the following to inventory
/ root / awx / installer / inventory
-------------------------------------------------- ------
ssl_certificate = / path / your.pem
ssl_certificate_key = / path / your.key
-------------------------------------------------- ------
-Fixed some sources
roles / local_docker / templates / docker-compose.yml.j2
-------------------------------------------------- ------
volumes:
-"{{docker_compose_dir}} / SECRET_KEY: / etc / tower / SECRET_KEY"
-"{{docker_compose_dir}} / environment.sh:/etc/tower/conf.d/environment.sh"
-"{{docker_compose_dir}} / credentials.py:/etc/tower/conf.d/credentials.py"
Add this ---->-"{{docker_compose_dir}} / nginx.conf: /etc/nginx/nginx.conf"
<snip>
\{% if ssl\_certificate is defined%\}
\-"\{\{ssl\_certificate \+ ': / etc / nginx / awxweb\.pem: ro'\}\}"
Add this ---->-"{{ssl_certificate_key + ': / etc / nginx / awxweb.key: ro'}}"
{% endif%}
-------------------------------------------------- ------
・ There is a bug that doesn't expand nginx.conf.j2, so add the following files
/tmp/awxcompose/nginx.conf
-------------------------------------------------- -------------------
#user awx;
worker_processes 1;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
#X# access_log /var/log/nginx/nginx_access.log main;
error_log /var/log/nginx/nginx_error.log;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
sendfile on;
#tcp_nopush on;
#gzip on;
upstream uwsgi {
server 127.0.0.1:8050;
}
upstream daphne {
server 127.0.0.1:8051;
}
server {
#X# listen 8052 default_server;
listen 8052;
server_name _;
# Redirect all HTTP links to the matching HTTPS page
return 301 https://$host$request_uri;
}
server {
listen 8053 ssl default_server;
ssl_certificate /etc/nginx/awxweb.pem;
ssl_certificate_key /etc/nginx/awxweb.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_timeout 20m;
# If you have a domain name, this is where to add it
server_name _;
keepalive_timeout 65;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; img-src 'self' data:; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' cdn.pendo.io; img-src 'self' data:; report-uri /csp-violation/";
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location /static/ {
alias /var/lib/awx/public/static/;
}
location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
location /websocket {
# Pass request to the upstream alias
proxy_pass http://daphne;
# Require http version 1.1 to allow for upgrade requests
proxy_http_version 1.1;
# We want proxy_buffering off for proxying to websockets.
proxy_buffering off;
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if you use HTTPS:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client for the sake of redirects
proxy_set_header Host $http_host;
# We've set the Host header, so we don't need Nginx to muddle
# about with redirects
proxy_redirect off;
# Depending on the request value, set the Upgrade and
# connection headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection $connection_upgrade;
}
location / {
# Add trailing / if missing
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
uwsgi_read_timeout 120s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params; proxy_set_header X-Forwarded-Port 443;
}
}
}
-------------------------------------------------- -------------------
-Reinstall AWX (container remake)
ansible-playbook -i inventory install.yml
You can specify the key using ssl_certificate_key in the inventory file, alongside ssl_certificate for the cert.
Thanks,
-Graham
My mistake. Looks like it’s expecting you to concatenate the certificate and key into a single .pem file and specify that in the inventory as ssl_certificate.
Thanks,
-Graham
Hello:
Right, you need to define path to a concatenated (cert + private key) file by using ssl_certificate directive, but also you need to comment out dockerhub_ansible, as this instructs awx installer to run a local build which configures your own certificate file as expected.