search

MrMEEE / awx-build

144 stars 39 forks source link

SSL Setup #264

Closed glennwoodcock closed 2 years ago

glennwoodcock commented 4 years ago

Anyone have detailed instructions for setting up SSL on these installations of AWX? Thanks in advance for anything that can be provided!

bluikko commented 4 years ago

I set it up with an Apache reverse proxy in front of AWX. That was similar to how the official Docker version of AWX needed to be hacked at the time (version 3 or so) but which used nginx instead.

In the later official AWX SSL is properly supported via nginx so maybe it could help to take a look at how that is configured: https://github.com/ansible/awx/blob/devel/installer/roles/local_docker/templates/nginx.conf.j2

cbetan commented 4 years ago

I just enabled SSL on top of nginx by adding the the following simple configuration changes to /etc/nginx/nginx.conf (plus the corresponding certificate and key in /etc/pki/tls):

--- nginx.conf.http_OK.20200624 2020-06-24 19:17:18.599041964 +0200
+++ nginx.conf  2020-06-24 19:31:34.866134098 +0200
@@ -37,12 +37,20 @@
     }

     server {
-        listen 80 default_server;
+        listen 443 ssl;

         # If you have a domain name, this is where to add it
         server_name _;
         keepalive_timeout 65;

+       # HTTPS configuration
+        server_name         awx.example.com;
+        ssl                 on;
+        ssl_certificate     /etc/pki/tls/certs/certificate.pem;
+        ssl_certificate_key /etc/pki/tls/private/certificate.key;
+        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers         HIGH:!aNULL:!MD5;
+
         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
C3RB3RUS0869 commented 3 years ago

cbetan's response worked for me. Also, was able to enable firewalld and add firewall rules (instructions disable firewalld) that work with the installation (assuming you want a subnet of hosts to be able to access the AWX URL)

systemctl start firewalld systemctl enable firewalld

firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.x.x.x/24" port port="443" protocol="tcp" accept'

MrMEEE commented 2 years ago

Project has been updated and moved...

Please move to the new version and report any issues

PROJECT MOVED: https://github.com/miracle-as/AWX-RPM

Issues at: https://github.com/miracle-as/AWX-RPM/issues

**Install guide, tools, utilities are located at: https://awx.wiki

LinkedIn group for Questions, support, talk and more: https://www.linkedin.com/groups/13694893/