6.2. Setting up Postgres ProGate Security Parameters #
6.2.1. Restricting the Access Token Validity Period for the User of the Postgres ProGate Web Interface #
When configuring the Postgres ProGate backend, ensure the parameters in the environment file or configuration file to meet the requirements listed in Table 6.1. This table includes the security parameters from Table 3.1 and also nginx parameters.
Table 6.1. Requirements for Postgres ProGate Security Parameters
| Cofiguration parameter | Environment variable | Description | Admissible value |
|---|---|---|---|
auth.access_token_lifetime | PROGATE_AUTH_ACCESS_TOKEN_LIFETIME | Lifetime of the web interface's access token | Not greater than 30m |
auth.refresh_token_lifetime | PROGATE_AUTH_REFRESH_TOKEN_LIFETIME | Lifetime of the web interface's access refresh token | Not greater than 720h |
password_policy.history_depth | PROGATE_PASSWORD_POLICY_HISTORY_DEPTH | Depth of the password history, that is, the number of last passwords to be checked during the password change | Not less than 5 |
password_policy.lifetime | PROGATE_PASSWORD_POLICY_LIFETIME | Lifetime of the user password | Not greater than 2160h (90 days) |
password_policy.max_failed_attempts | PROGATE_PASSWORD_POLICY_MAX_FAILED_ATTEMPTS | Number of failed attempts to enter the password by the user that temporarily blocks the account | Not greater than 3 |
password_policy.block_duration | PROGATE_PASSWORD_POLICY_BLOCK_DURATION | Duration of account blocking after entering incorrect passwords | Not less than 15m |
http_server.enable_debug_endpoints | PROGATE_HTTP_SERVER_ENABLE_DEBUG_ENDPOINTS | Enables debug endpoints of the application | false |
6.2.2. Restricting the List of Network Addresses Listened for by the Postgres ProGate Backend #
Set up the Postgres ProGate backend to restrict the network accessibility.
To restrict the list of interfaces listened for, set the following configuration parameter:
| Cofiguration parameter | Environment variable | Description | Recommended value |
|---|---|---|---|
http_server.host | PROGATE_HTTP_SERVER_HOST | IP address at which the backend is launched | 127.0.0.1 |
With this setting, a direct network access to the Postgres ProGate backend gets impossible.
If it is needed to install the web server to work on a separate server, ensure the impossibility to access the port specified by the http_server.port configuration parameter, or the PROGATE_HTTP_SERVER_PORT environment variable, from any network address but the address of the server where the web server is installed.
For example, if the web server is installed on the server with the address 192.168.1.123 and the value PROGATE_HTTP_SERVER_PORT: 8081 is specified, network access to the Postgres ProGate backend can be restricted by means of the command:
iptables -A INPUT -p tcp --dport 8081 ! -s 192.168.1.123 -j DROP
6.2.3. Setup Considerations for Using Console Applications #
When running console applications without GUI, to send the statistics on task execution and audit events to the backend, in the configuration file for global environment variables /etc/environment, add the following values:
PROGATE_PROGRESS_ENABLED=true PROGATE_REPORT_ENABLED=true