Request a Demo
4.1. Configuring the Web Server
Prev UpChapter 4. Configuring a Web Server for Security Policies of the Postgres ProGate Web Application Home Next

4.1. Configuring the Web Server #

4.1.1. Preparing Secure Connection Certificates
4.1.2. Preparing the Web Server Configuration File

4.1.1. Preparing Secure Connection Certificates #

If your infrastructure lacks a certification center, you can use a self-signed certificate for connection securing.

To issue the certificate, perform the following actions in the server terminal as an administrator (root):

  1. Go to the /etc/ssl directory.

  2. Generate a private key and the self-signed certificate. 

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/progate.key \
-out /etc/ssl/certs/progate.crt

    Note

    The command above generates the key file and the self-signed certificate, both valid for 365 days. Specify the following values as prompted by the command:

    • Country Name (2 letter code) [AU]: The two-character country code.

    • State or Province Name (full name) [Some-State]: The name of the region.

    • Locality Name (eg, city) []: The name of the city.

    • Organization Name (eg, company) [Internet Widgits Pty Ltd]: The name of the company.

    • Organizational Unit Name (eg, section) []: The name the company business unit.

    • Common Name (e.g. server FQDN or YOUR name) []: The address that will be used to connect to the Postgres ProGate web application, for example, progate.example.com.

    • Email Address []: The administrator email.

4.1.2. Preparing the Web Server Configuration File #

The web server configuration is generally located in the /etc/nginx directory, but the file structure may vary depending on the operating system distribution. For example, the virtual server configuration is located in different directories for the following operating systems:

  • For Debian-based operating systems (for example, Astra Linux), in the /etc/nginx/sites-enabled/ directory.

  • For Red Hat-based operating systems (for example, RED OS), in the /etc/nginx/vhosts/ directory.

For more information about location and structure of the configuration tree, refer to the official documentation of your operating system.

The configuration procedure described below assumes that the web server configuration is located in the /etc/nginx/ directory and the virtual server parameters are located in the /etc/nginx/conf.d/ directory. Perform the following actions to configure the web server:

  1. Place the progate.crt file in the /etc/ssl/certs/ directory.

  2. Place the progate.key file in the /etc/ssl/private/ directory.

  3. The progate.crt and progate.key files must be owned by the administrator (root) with 644 rw-r--r-- and 600 rw------- access rights, respectively. To change access rights, execute the following command: 

    chown root:root /etc/ssl/certs/progate.crt /etc/ssl/private/progate.key
chmod 600 /etc/ssl/private/progate.key
chmod 644 /etc/ssl/certs/progate.crt

  4. Create the /etc/nginx/conf.d/progate.example.com.conf configuration file of the virtual server with the following content: 

     server {
     listen 80 default_server;
     server_name _;

     return 301 https://progate.example.com$request_uri;
 }

 server {
     listen 443 ssl default_server;
     server_name progate.example.com;

     ssl_certificate /etc/ssl/certs/progate.crt;
     ssl_certificate_key /etc/ssl/private/progate.key;

     ssl_protocols TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
     ssl_prefer_server_ciphers off;
     sub_filter_once off;
     sub_filter **CSP_NONCE** $request_id;
     add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options "nosniff";
     add_header X-XSS-Protection "1; mode=block";
     add_header Strict-Transport-Security "max-age=31536000";
     add_header Content-Security-Policy "
         default-src 'none';
         script-src 'self' 'nonce-$request_id';
         style-src 'self' 'nonce-$request_id';
         img-src 'self' data:;
         font-src 'self';
         connect-src 'self';
         form-action 'self';
         base-uri 'self';
         frame-ancestors 'none';
         frame-src 'none';
         object-src 'none';
     " always;

     root /opt/pgpro/progate/ui;

     location = /docs {
         try_files /index.html =404;
     }

     location = /docs/ {
         try_files /index.html =404;
     }

     location ~ ^/docs/(ru|en)/ {
         try_files $uri =404;
     }

     location / {
         index index.html;
         try_files $uri $uri/ /index.html;
     }

     location /api {
         try_files $uri @api;
     }

     location @api {
         proxy_pass http://127.0.0.1:8081;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_read_timeout 180s;

     }

     location ~ /\.(ht|git|svn|env) {
         deny all;
     }

     location ~ /\. {
         deny all;
     }
 }

    For the documentation section in the web application to operate correctly, configure routing for the /docs path. To do this, set separate location parameters for /docs. If you specify only common location / with try_files, requests to /docs and /docs/ may be handled differently than the web application expects (including documentation access errors). Specify the following parameters:

    • location = /docs and location = /docs/: The exact URI matches. The request returns the index.html file of the documentation entry point.

    • location ~ ^/docs/(ru|en)/: Static documentation files for the ru and en locales. If a file is missing at the URI, the 404 response is returned without the index.html file, so as not to hide incorrect paths. If you need to support other languages, specify additional language codes in the regular expression.

    Note

    The root /opt/pgpro/progate/ui; configuration parameter specifies the directory, where the progate-gui package is installed by default. If you move the package content to a different directory, modify this parameter to reflect the actual location.

    The proxy_pass http://127.0.0.1:8081; configuration parameter assumes that the following configuration parameters of the Postgres ProGate backend are set to corresponding values: PROGATE_HTTP_SERVER_HOST="127.0.0.1" and PROGATE_HTTP_SERVER_PORT="8081".

  5. Check that the configuration is correct by running the nginx -t command. If no errors occur, the output is as follows: 

    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

    In case of errors, check that all the parameters above are specified correctly.

  6. If no errors are found, restart the web server by executing systemctl restart nginx. After the successful restart, the Postgres ProGate web application will be available at https://progate.example.com.

Prev Up Next
Chapter 4. Configuring a Web Server for Security Policies of the Postgres ProGate Web Application  Home Chapter 5. Upgrading Postgres ProGate
epub pdf