Configure HTTPS on Powa and use SSL between GUI and PostgreSQL

[hrawulwa]

Hello, I'm looking for guidance on how to configure POWA to run on HTTPS and use SSL to protect connection between GUI and PostreSQL. I have a remote setup, with both powa-collector and powa-web running on the same repository server. Please advise.

Thanks Hari

[rjuju]

Hi,

It depends on how you're currently running powa-web. The main powa-web application (and the powa-web.py wrapper that is often used as a simple way to start the service) currently does not allow SSL connections.

It's internally relying on tornado, which supports it, so it could be done. It's just that no one express any interest in that. I'm assuming that the reason for that is that most of the setups are not using this script but instead rely on a dedicated http server, as a real http server will have much more features. In that case, the SSL configuration has to be done as part of the http server configuration rather than powa-web itself.

You can see one example of powa-web configuration using apache and mod_wsgi at https://powa.readthedocs.io/en/latest/components/powa-web/deployment.html. Note that this documentation only covers the parts specific to powa-web configuration, not general apache configuration. There are however a lot of ressources available online that documents how to configure SSL.

[banlex73]

I would like to setup https connection too. Eagerly waiting for reply

On Thu, Jul 8, 2021, 07:45 hrawulwa @.***> wrote:

Hello, I'm looking for guidance on how to configure POWA to run on HTTPS and use SSL to protect connection between GUI and PostreSQL. I have a remote setup, with both powa-collector and powa-web running on the same repository server. Please advise.

Thanks Hari

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/powa-team/powa-web/issues/140, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIHWEYFMJ2AXRQIQG2XNRGLTWUUPDANCNFSM47757TMA .

[rjuju]

@banlex73 Are you saying that you would like some limited ability to have https in powa-web itself or that you need guidance on how to configure https in some external http daemon with wsgi for powa-web?

[banlex73]

"some limited ability to have https in powa-web itself" Would be great! On Sat, Jul 10, 2021, 19:28 Julien Rouhaud @.***> wrote:

@banlex73 https://github.com/banlex73 Are you saying that you would like some limited ability to have https in powa-web itself or that you need guidance on how to configure https in some external http daemon with wsgi for powa-web?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/powa-team/powa-web/issues/140#issuecomment-877664730, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIHWEYGGYYT3KTYVO6UH4PDTXBYK5ANCNFSM47757TMA .

[rjuju]

I see. @banlex73 can you try the "https" branch I just pushed(https://github.com/powa-team/powa-web/tree/https)? This should allow you to have powa-web serve SSL traffic if you add correct files for those two new options in the configuration file:

• certfile
• keyfile

[banlex73]

Thanks Unfortunately, I'm on vacation and cannot test till early August. Much appreciated your swift reaction!

On Sun, Jul 11, 2021, 05:34 Julien Rouhaud @.***> wrote:

I see. @banlex73 https://github.com/banlex73 can you try the "https" branch I just pushed(https://github.com/powa-team/powa-web/tree/https)? This should allow you to have powa-web serve SSL traffic if you add correct files for those two new options in the configuration file:

• certfile
• keyfile

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/powa-team/powa-web/issues/140#issuecomment-877731575, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIHWEYGC2V4FTLQ5SHNQDMDTXD7L3ANCNFSM47757TMA .

[rjuju]

No worries, I'll keep the branch around until then. Enjoy your vacation!

[banlex73]

Merci

On Sun, Jul 11, 2021, 08:25 Julien Rouhaud @.***> wrote:

No worries, I'll keep the branch around until then. Enjoy your vacation!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/powa-team/powa-web/issues/140#issuecomment-877743795, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIHWEYE34I3CDW6UAG35JS3TXETK7ANCNFSM47757TMA .

[tingeltangelthomas]

+1

[rjuju]

Hi @banlex73, could you try the new version?

[banlex73]

Thanks, will do my best to try it next couple of days

пт, 4 лют. 2022 р. о 01:03 Julien Rouhaud @.***> пише:

Hi @banlex73 https://github.com/banlex73, could you try the new version?

— Reply to this email directly, view it on GitHub https://github.com/powa-team/powa-web/issues/140#issuecomment-1029780103, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIHWEYHDRDUMNGF64EFJBOTUZOI7NANCNFSM47757TMA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[guruguruguru]

@rjuju I just tested the changes on my system and it seems to work fine:

root@dp-powaweb01:/usr/lib/python3.6/site-packages/powa# powa-web [I 230428 09:05:51 powa-web:39] Starting powa-web on https://0.0.0.0:443/ [I 230428 09:05:55 web:2063] 200 GET /static/css/powa-all.min.css?v=8c7dc8452e317e10953cf920dd367485 (10.23.49.162) 21.31ms [I 230428 09:05:56 web:2063] 200 GET /static/js/powa.min-all.js?v=9b661ca18f5af5c8c6c0b15e6150f5e1 (10.23.49.162) 44.67ms [W 230428 09:05:57 web:2063] 403 GET /login/?next=%2F (10.23.49.162) 14.94ms [I 230428 09:06:04 web:2063] 302 POST /login/?next=%2F (10.23.49.162) 125.80ms [I 230428 09:06:04 web:2063] 302 GET / (10.23.49.162) 36.64ms [I 230428 09:06:04 web:2063] 200 GET /server/ (10.23.49.162) 62.06ms [I 230428 09:06:04 web:2063] 200 GET /static/css/foundation-icons.woff (10.23.49.162) 2.16ms

One question would be if it is possible to start it as non-root user when running on privileged ports (443)? I guess that might not be too easy and it is not a dealbreaker for me but would be really nice.

I also would be really happy if this would be in the next release.

Thank you very much!

[rjuju]

Thanks a lot @guruguruguru , and great news!

The privileged port is more a *nix issue than a powa-web issue. Have you tried setting the CAP_NET_BIND_SERVICE capability to the powa-web script? Something like

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/powa-web

If that works I will update to documentation in case other people have the same concern (which I totally agree with btw).

[guruguruguru]

Hmm weird, this does not work.

root@dp-powaweb01:/usr/bin# sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/powa-web (powaweb) - postgres@dp-powaweb01[~] /usr/bin/powa-web Traceback (most recent call last): File "/usr/bin/powa-web", line 37, in <module> server.listen(options.port, address=options.address) File "/usr/lib64/python3.6/site-packages/tornado/tcpserver.py", line 141, in listen sockets = bind_sockets(port, address=address) File "/usr/lib64/python3.6/site-packages/tornado/netutil.py", line 196, in bind_sockets sock.bind(sockaddr) PermissionError: [Errno 13] Permission denied

But you are right, this is not a powa-web issue. I think I will find a workaround for this.

Edit: it works when setting it on thy python binary but I still have to think about if this is a good thing ;-) Edit2: postgres 15173 1 8 09:32 ? 00:00:00 python3 /usr/bin/powa-web > /var/log/powa-15.log 2>&1

[rjuju]

Another possibility is to use a real web server with reverse proxy feature and configure it to listen on the wanted port (possibly setting a capability for it), and then proxy connections to powa-web listening on a non-system port.

[guruguruguru]

Yes I thought about this as well but I think with SSL integrated in powa-web I am good!

So it would be great if you could prepare a release with integrated SSL (no hurry, I just want to get rid of my CentOS7 machines before EOL).

Thank you very much for the great support!

[marco44]

I just added a PR to put that in the docs BTW https://github.com/powa-team/powa/pull/169

[guruguruguru]

This might work as well. Thank you very much, this all helped a lot

[rjuju]

Thanks a lot to both of you!

I will merge the https branch, add the corresponding documentation and do a release over the weekend!

[rjuju]

The branch has been merged and I just released a new version!

I'm closing this issue, feel free to reopen it if needed.