6.1. Instructions for Installation and Setup of Postgres ProGate Components #
Only install Postgres ProGate components from the media that are included in the Postgres ProGate package or from the software repository https://repo.postgrespro.ru/.
6.1.1. Configuring the Supporting Database #
When creating the user of the supporting database, specify a fairly complex password:
Longer than 8 characters.
Containing digits and lowercase and uppercase latin characters.
6.1.2. Restricting Access to the Postgres ProGate Configuration #
After setting up the backend, restrict read and write access to the following files for unprivileged OS users except the user under which Postgres ProGate is launched:
Environment file
/opt/pgpro/progate/etc/env_progate.Postgres ProGate configuration file if it is used.
6.1.3. Setting up the Web Server #
To use the Postgres ProGate GUI, install and set up the nginx web server that is supplied as part of the operating system package of the server where Postgres ProGate is installed. Set up the web server to work using the secure HTTPS protocol.
In the web server configuration, set up redirection of requests received through a non-secure connection (HTTP) to a secure connection (HTTPS). See a configuration example below:
server {
listen 80;
server_name progate.example.com;
location / {
return 301 https://$host$request_uri;
}
}
The configuration must include parameters to work using the secure HTTPS protocol. For example:
server {
listen 443 ssl default_server;
server_name progate.example.com;
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
...
}
The configuration must include the use of the Content Security Policy and protection against web page embedding:
server {
...
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "
default-src 'none';
script-src 'self' 'nonce-$request_id';
style-src 'self' 'nonce-$request_id';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
base-uri 'self';
frame-ancestors 'none';
frame-src 'none';
object-src 'none';
" always;
...
}
The configuration of the web server must prohibit the display of the used web server version on automatically created error pages 4xx, 5xx. To this end, in the nginx configuration file, /etc/nginx/nginx.conf specify the following parameter:
http: {
...
server_tokens off;
...
}