search

ansible / awx

AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.
Other
14.08k stars 3.42k forks source link

AWX does not work on Docker Swarm with nginx SSL reverse proxy #1285

Closed jstewart612 closed 6 years ago

jstewart612 commented 6 years ago
ISSUE TYPE
COMPONENT NAME
SUMMARY

When AWX is deployed with all components replica 1 in a Docker Swarm, and nginx is configured as a reverse proxy in front of it, numerous Websocket errors are deployed, despite attempting to account for it. "WebSocket connection to 'wss://awx.tools.rentpath.com/websocket/' failed: WebSocket is closed before the connection is established."

ENVIRONMENT
STEPS TO REPRODUCE

Deploy a Docker Swarm stack named "awx" with the following docker-compose file:

version: "3"
services:
  rabbitmq:
    image: rabbitmq:3
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: "1"
          memory: 1G
      restart_policy:
        condition: on-failure
    environment:
      RABBITMQ_DEFAULT_VHOST: "awx"
    networks:
      - awxnet

  memcached:
    image: memcached:alpine
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: "1"
          memory: 1G
      restart_policy:
        condition: on-failure
    networks:
      - awxnet

  awx_task:
    image: ansible/awx_task:latest
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: "1"
          memory: 2G
      restart_policy:
        condition: on-failure
    environment:
      SECRET_KEY: "SOMESECRETKEY"
      DATABASE_NAME: "SOME_DATABASE_NAME"
      DATABASE_USER: "SOME_DATABASE_USERNAME"
      DATABASE_PASSWORD: "SOME_DATABASE_PASSWORD"
      DATABASE_PORT: "5432"
      DATABASE_HOST: "SOME_DATABASE_HOSTNAME"
      RABBITMQ_USER: "guest"
      RABBITMQ_PASSWORD: "guest"
      RABBITMQ_HOST: "rabbitmq"
      RABBITMQ_PORT: "5432"
      RABBITMQ_VHOST: "awx"
      MEMCACHED_HOST: "memcached"
      MEMCACHED_PORT: "11211"
      LDAPTLS_REQCERT: "never"
    networks:
      - awxnet

  awx_web:
    image: ansible/awx_web:latest
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: "1"
          memory: 2G
      restart_policy:
        condition: on-failure
    environment:
      SECRET_KEY: "SOMESECRETKEY"
      DATABASE_NAME: "SOME_DATABASE_NAME"
      DATABASE_USER: "SOME_DATABASE_USERNAME"
      DATABASE_PASSWORD: "SOME_DATABASE_PASSWORD"
      DATABASE_PORT: "5432"
      DATABASE_HOST: "SOME_DATABASE_HOSTNAME"
      RABBITMQ_USER: "guest"
      RABBITMQ_PASSWORD: "guest"
      RABBITMQ_HOST: "rabbitmq"
      RABBITMQ_PORT: "5432"
      RABBITMQ_VHOST: "awx"
      MEMCACHED_HOST: "memcached"
      MEMCACHED_PORT: "11211"
      LDAPTLS_REQCERT: "never"
    networks:
      - awxnet

  nginx:
    image: nginx:alpine
    deploy:
      replicas: 1
      resources:
        limits:
          cpus: "1"
          memory: 2G
      restart_policy:
        condition: on-failure
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "/etc/nginx.conf:/etc/nginx/nginx.conf"
      - "/etc/ssl/tools:/etc/ssl/tools"
    networks:
      - awxnet

networks:
  awxnet

Configure /etc/nginx.conf with the following content:

user nginx;
worker_processes 2;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    server {
        listen      80;
        server_name _;
        rewrite     ^  https://$host$request_uri? permanent;
    }

    server {
        listen              443 ssl http2;
        server_name         awx.tools.rentpath.com;
        ssl                 on;
        ssl_certificate     /etc/ssl/tools/wildcard.tools.rentpath.com.crt.pem;
        ssl_certificate_key /etc/ssl/tools/wildcard.tools.rentpath.com.key.pem;
        ssl_protocols       TLSv1.2;
        ssl_ciphers         "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        location / {
            proxy_set_header   Host $host;
            proxy_pass         http://awx_web:8052;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection "upgrade";
        }
    }
}
EXPECTED RESULTS

I thought I would have secured AWX behind HTTPS and the UI would work.

ACTUAL RESULTS

Most calls that required Websockets would sit and spin forever and do nothing. Sliders, like using TLS in LDAP authentication, would turn on, "working" gear would pop up bottom right, then it would go right back to off after spamming the above Websockets error a few times.

ADDITIONAL INFORMATION
jakemcdermott commented 6 years ago

Hey there, jstewart612.

Thanks for reaching out. Docker swarm isn't a supported installation mode for AWX so I'm going to close this issue. If you have any questions please drop us a line on the AWX mailing list or join our IRC chat on freenode.

jstewart612 commented 6 years ago

Feature Idea, then: https://github.com/ansible/awx/issues/1287