Awx: Add SSL Termination to standalone docker deployment

Leaving it here in case someone could use an example.
I know it's not HAProxy related, but using NGINX as a proxy with Letsencrypt provided SSL, here's my config:

upstream awx {
    # Depends on what port your docker-compose is listening to
    server localhost:8080; 
}

server {
    server_name  awx.domain.com;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_set_header X-Request-Start "t=${msec}";
        proxy_redirect off;
        proxy_pass http://awx;
        add_header Access-Control-Allow-Origin *;
    }

    location /websocket/ {
        proxy_pass http://awx;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

Then I use ACME certbot to install SSL and listen directives.

Hi. I'm trying to understand the landscape here...
It sounds like current practice and proposed directions to support HTTPS are all adding an additional proxy in front — haproxy / traefik / an additional nginx?
But IIUC, awx_web image is already running an nginx inside, right? Isn't it possible to modify its config to serve HTTPS, taking certificate from env vars / a mounted volume?

• My specific use case is running on openshift. From outside the openshift router already gives HTTPS, but I also want to secure communication between router and awx_web container (get rid of insecureEdgeTerminationPolicy). Openshift service signer can generate the cert conveniently, would just need to mount it into the awx_web container and have it use it...

Any progress on getting this PR merged? I find it horrible that a Password Authenticated GUI is not by default SSL.

@edperry I have already submitted a PR for this already though it might need to be rebased.
See https://github.com/ansible/awx/pull/2135#issuecomment-424318303.

I would like to mark this as "really really critical showstopper".
The host that my awx containers are served from on port 8052 is also serving "normal" web content on 80/443 and uses HSTS.
Basically, I can't use AWX. At All. Because after accessing the "normal" content on that host once, any modern browser will refuse to touch anything from that host via normal http.

it would be great if this item gets added as this is a show stopper for those of us testing.

Seems like this can be closed with #3322 having made it in to v4.0.0, though that release does drop the standalone Docker install method.

...wtf? what do you mean, 4.0.0 drops the standalone docker? Guess it'll be back to puppet for me if that's true.

edit: it only means that you have to have docker-compose. phew. now if i could only figure out how to actually make https: happen instead of http...

@lemmy04 right, it doesn’t drop Docker entirely, just the standalone version, in favor of focusing entirely on using Docker Compose. You can check the v4 release notes here on the Google Group.

Sorry for the panic!

so ... how do I make https: happen? The documentation doesn't really say anything.

@lemmy04 this is highly unlikely to be merged in, and the standalone Docker is a feature that’s been removed in favor of using Docker Compose.

You might check my PR, #3604, which adds SSL support for docker-compose. It’s yet to merge in, and I’ve been trying to get it working again with current versions of AWX (there’s been changes since I opened the PR).