Making AWX SSL Compliant

Some time ago Red Hat acquired Ansible Inc – the company responsible for Ansible Tower.  Being Red Hat – they promised to open the code of the Ansible Tower. The AWX project is the fulfillment of that promise.

I created this blog for those who would like to use the marvels of the Ansible Tower without paying a penny and at the same time would like to have a modern and secure way to access the awx portal.

I was recently doing some work for one of our customers who (as most customers) have the requirement to protect everything. Unfortunately, the AWX project does not come with the SSL protected GUI. After researching the topic for some time and going through several solutions that involved building proxies or redirecting encrypted traffic to the AWX, I decided to give it a crack and this is the outcome. It is not the most elegant way of hacking AWX, but it works and checks all the boxes.

1. Follow the procedure to download awx from git (git clone https://github.com/ansible/awx.git)

2. Modify the inventory file as indicated below (only changes listed below):

host_port=8080

awx_alternate_dns_servers=”10.1.2.3,10.2.3.4,add_your_own”

3. Modify the standalone.yml playbook and replace the volumes configuration:

vim +77 awx/installer/roles/local_docker/tasks/standalone.yml

Modify volumes to:

volumes:
– ‘/var/lib/awx/projects:/var/lib/awx/projects:rw’
– ‘/var/lib/awx-ssl:/var/lib/awx-ssl:rw’

4. Create the directory for the volume on the host:

mkdir -p /var/lib/awx-ssl

5. Copy the certificates (key and crt) to /var/lib/awx-ssl

6. Copy the nginx.conf configuration file to /var/lib/awx-ssl. The configuration file should look as follows:

#user awx;

worker_processes 1;

pid /tmp/nginx.pid;

events {
         worker_connections 1024;
}

http {
        include /etc/nginx/mime.types;
       default_type application/octet-stream;

       log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
                               ‘$status $body_bytes_sent “$http_referer” ‘
                             ‘”$http_user_agent” “$http_x_forwarded_for”‘;

       map $http_upgrade $connection_upgrade {
                 default upgrade;
                 ” close;
      }

     sendfile on;
     #tcp_nopush on;
     #gzip on;

     upstream uwsgi {
               server 127.0.0.1:8050;
               }

     upstream daphne {
              server 127.0.0.1:8051;
            }

      server {
                   listen 8052 default_server;

                   # If you have a domain name, this is where to add it
                   server_name _;
                   keepalive_timeout 65;
                   ssl                             on;
                   ssl_certificate             /var/lib/awx-ssl/nginx-selfsigned.crt;
                   ssl_certificate_key  /var/lib/awx-ssl/nginx-selfsigned.key;
                   ssl_protocols              TLSv1.2;
                   ssl_ciphers                  HIGH:!aNULL:!MD5;
                   # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
                   add_header Strict-Transport-Security max-age=15768000;

                    location /nginx_status {
                    stub_status on;
                    access_log off;
                    allow 127.0.0.1;
                    deny all;
    }

                   location /static/ {
                         alias /var/lib/awx/public/static/;
                   }

                  location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }

                  location ~ ^/(websocket|network_ui/topology/) {
                          # Pass request to the upstream alias
                          proxy_pass http://daphne;
                          # Require http version 1.1 to allow for upgrade requests
                          # We want proxy_buffering off for proxying to websockets.
                          proxy_buffering off;
                          # http://en.wikipedia.org/wiki/X-Forwarded-For
                          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                         # enable this if you use HTTPS:
                         proxy_set_header X-Forwarded-Proto https;
                        # pass the Host: header from the client for the sake of redirects
                        proxy_set_header Host $http_host;
                       # We’ve set the Host header, so we don’t need Nginx to muddle
                       # about with redirects
                        proxy_redirect off;
                       # Depending on the request value, set the Upgrade and
                       # connection headers
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection $connection_upgrade;
       }

                       location / {
                              # Add trailing / if missing
                              rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
                              uwsgi_read_timeout 120s;
                              uwsgi_pass uwsgi;
                              include /etc/nginx/uwsgi_params;
                  }
          }
}

7. Install the awx using ansible-playbook -i inventory install.yml

8. Once the installation is finished verify if the docker containers are working as expected:

docker ps -a

9. Verify if the volume (/var/lib/awx-ssl) is mounted for awx_web container

docker inspect awx_web | grep awx-ssl

10. If the volume is mounted, execute the following commands to modify the configuration and restart the container:

docker exec -it awx_web ln -fs /var/lib/awx-ssl/nginx.conf /etc/nginx/nginx.conf
docker restart awx_web
docker ps -a

That’s it. Watch out for my next blog…. 🙂

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Secure Workplace]

Service Trust Portal – Part 2

By [Dan Snape]

In my last blog I provided some insights into the Microsoft Service Trust Portal and Compliance Manager. In this blog I want to dig a bit deeper into the Compliance Manager Assessments. As we know, Assessments apply to one of the Microsoft cloud services and either a standard (for example ISO-27001-2013) or a regulation (for example GDPR).

[Secure Workplace]

Veritas Risk Advisor & How Insentra can help you

With Veritas Risk Advisor, Insentra can perform an IT Risk Assurance assessment for one or more of your critical business services that are configured in a highly available manner with replication to a secondary datacenter.

[Secure Workplace]

Are you Smart Enough to Protect your Data?

Australians take heed! 69% of Americans think having their personal information stolen in their lifetime is inevitable.