Itzik Gur - 17.07.201820180717

Join our community of 1,000+ IT professionals, and receive tech tips and updates once a week.

Making AWX SSL Compliant

Some time ago Red Hat acquired Ansible Inc – the company responsible for Ansible Tower. Being Red Hat – they promised to open the code of the Ansible Tower. The AWX project is the fulfillment of that promise.

I created this blog for those who would like to use the marvels of the Ansible Tower without paying a penny and at the same time would like to have a modern and secure way to access the awx portal.

I was recently doing some work for one of our customers who (as most customers) have the requirement to protect everything. Unfortunately, the AWX project does not come with the SSL protected GUI. After researching the topic for some time and going through several solutions that involved building proxies or redirecting encrypted traffic to the AWX, I decided to give it a crack and this is the outcome. It is not the most elegant way of hacking AWX, but it works and checks all the boxes.

1. Follow the procedure to download awx from git (git clone https://github.com/ansible/awx.git)

2. Modify the inventory file as indicated below (only changes listed below):

host_port=8080

awx_alternate_dns_servers=”10.1.2.3,10.2.3.4,add_your_own”

3. Modify the standalone.yml playbook and replace the volumes configuration:

vim +77 awx/installer/roles/local_docker/tasks/standalone.yml

Modify volumes to:

volumes:
– ‘/var/lib/awx/projects:/var/lib/awx/projects:rw’
– ‘/var/lib/awx-ssl:/var/lib/awx-ssl:rw’

4. Create the directory for the volume on the host:

mkdir -p /var/lib/awx-ssl

5. Copy the certificates (key and crt) to /var/lib/awx-ssl

6. Copy the nginx.conf configuration file to /var/lib/awx-ssl. The configuration file should look as follows:

#user awx;

worker_processes 1;

pid /tmp/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format main ‘$remote_addr – $remote_user [$time_local] “$request” ‘
‘$status $body_bytes_sent “$http_referer” ‘
‘”$http_user_agent” “$http_x_forwarded_for”‘;

map $http_upgrade $connection_upgrade {
default upgrade;
” close;
}

sendfile on;
#tcp_nopush on;
#gzip on;

upstream uwsgi {
server 127.0.0.1:8050;
}

upstream daphne {
server 127.0.0.1:8051;
}

server {
listen 8052 default_server;

# If you have a domain name, this is where to add it
server_name _;
keepalive_timeout 65;
ssl on;
ssl_certificate /var/lib/awx-ssl/nginx-selfsigned.crt;
ssl_certificate_key /var/lib/awx-ssl/nginx-selfsigned.key;
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;

location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}

location /static/ {
alias /var/lib/awx/public/static/;
}

location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }

location ~ ^/(websocket|network_ui/topology/) {
# Pass request to the upstream alias
proxy_pass http://daphne;
# Require http version 1.1 to allow for upgrade requests
# We want proxy_buffering off for proxying to websockets.
proxy_buffering off;
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if you use HTTPS:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client for the sake of redirects
proxy_set_header Host $http_host;
# We’ve set the Host header, so we don’t need Nginx to muddle
# about with redirects
proxy_redirect off;
# Depending on the request value, set the Upgrade and
# connection headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}

location / {
# Add trailing / if missing
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
uwsgi_read_timeout 120s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params;
}
}
}