search

sipcapture / homer-app

HOMER 7.x Front-End and API Server
http://sipcapture.io
GNU Affero General Public License v3.0
204 stars 81 forks source link

Can't turn on SSL for PGSQL from config during setup #557

Closed rnalrd closed 1 month ago

rnalrd commented 5 months ago

Trying to use SSL when connecting to PGSQL. Using command line option -database-ssl-mode=require works no problem, but using config option sslmode="require" it doesn't.

~ # cat /etc/homer/webapp_config.json | jq '.database_data, .database_config'
{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "sslmode": "require"
  }
}
{
  "help": "Settings for PGSQL Database (settings)",
  "node": "LocalConfig",
  "user": "homer_user",
  "pass": "passwod",
  "name": "homer_config",
  "keepalive": true,
  "host": "homer-db",
  "sslmode": "require"
}
~ # homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer

CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=disable port=5432 password=lesson_learned]

panic: pq: no pg_hba.conf entry for host "bad:beef:caffe:1016::169", user "postgres", database "postgres", no encryption

goroutine 1 [running]:
main.checkAdminFlags()
    /app/main.go:1840 +0xfe5
main.main()
    /app/main.go:225 +0xaf

~ #### turning on SSL via CLI option works
~ # homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer  -database-ssl-mode=require

CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=require port=5432 password=lesson_learned]

HOMER - creating user [user=homer_user password=homer_password] 

(/app/migration/migration.go:62) 
[2024-05-02 12:44:13]  [60.70ms]  CREATE USER "homer_user" WITH PASSWORD 'homer_password'  
[0 rows affected or returned ] 

DONE 

HOMER - show users 
    Role name   |   Attributes
------------------------------------------------
    homer_user  |       
    postgres    |   superuser, create database  

DONE 
~ # homer-app -version
VERSION: 1.4.59
hamidrhashmi commented 5 months ago

Hi @rnalrd

Please try using usessl

{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "usessl": true
  }
}

check this.

rnalrd commented 5 months ago

Same problem with "usessl"

~ # cat /etc/homer/webapp_config.json | jq '.database_data, .database_config'
{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "usessl": true
  }
}
{
  "help": "Settings for PGSQL Database (settings)",
  "node": "LocalConfig",
  "user": "homer_user",
  "pass": "password",
  "name": "homer_config",
  "keepalive": true,
  "host": "homer-db",
  "usessl": true
}
~ # homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer

CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=disable port=5432 password=password]

panic: pq: no pg_hba.conf entry for host "bad:beef:cafe:1016::169", user "postgres", database "postgres", no encryption

goroutine 1 [running]:
main.checkAdminFlags()
    /app/main.go:1840 +0xfe5
main.main()
    /app/main.go:225 +0xaf
hamidrhashmi commented 5 months ago

I have tested with version 1.4.59 and with param "usessl=true" it prints log line 

{"level":"info","msg":"Connecting to [127.0.0.1, homer_user, homer_data, LocalNode, 0, ssl: require]\n","time":"2024-05-06T04:37:10-05:00"}

while with "usessl=false" it prints

{"level":"info","msg":"Connecting to [127.0.0.1, homer_user, homer_data, LocalNode, 0, ssl: disable]\n","time":"2024-05-06T04:35:33-05:00"}

and it is working in both scenarios. try enabling debug log in webapp config and share homer-app logs.

rnalrd commented 4 months ago 
homer:~# cat /etc/homer/webapp_config.json | jq '.database_data, .database_config, .system_settings'
{
  "LocalNode": {
    "help": "Settings for PGSQL Database (data)",
    "node": "LocalNode",
    "user": "homer_user",
    "pass": "password",
    "name": "homer_data",
    "keepalive": true,
    "host": "homer-db",
    "usessl": true
  }
}
{
  "help": "Settings for PGSQL Database (settings)",
  "node": "LocalConfig",
  "user": "homer_user",
  "pass": "password",
  "name": "homer_config",
  "keepalive": true,
  "host": "homer-db",
  "usessl": true
}
{
  "help": "Settings for HOMER logs",
  "logpath": "/var/log/homer",
  "logname": "homer-app.log",
  "_loglevels": "can be: fatal, error, warn, info, debug, trace",
  "loglevel": "debug",
  "logstdout": true
}
homer:~# homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -webapp-config-path=/etc/homer
{"level":"info","msg":"init logging system","time":"2024-05-08T06:35:22Z"}

CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=disable port=5432 password=password]

{"level":"error","msg":"pq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}
{"level":"error","msg":"Couldn't establish connection. Please be sure you can have correct passwordpq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}
{"level":"error","msg":"Try run: sudo -u postgres psql -c \"ALTER USER postgres PASSWORD 'postgres';\"","time":"2024-05-08T06:35:22Z"}
panic: pq: no pg_hba.conf entry for host "dead:beef::1016::169", user "postgres", database "postgres", no encryption

goroutine 1 [running]:
main.checkAdminFlags()
    /app/main.go:1840 +0xfe5
main.main()
    /app/main.go:225 +0xaf

Adding -database-ssl-mode=require everything works as it should:

homer:~# homer-app -create-homer-user -database-root-user=$dbuser -database-host=$dbhost -database-root-password=$dbpass -database-ssl-mode=require -webapp-config-path=/etc/homer
{"level":"info","msg":"init logging system","time":"2024-05-08T06:36:04Z"}

CONNECT to DB ROOT STRING: [host=homer-db user=postgres dbname=postgres sslmode=require port=5432 password=password]

{"level":"debug","msg":"----------------------------------- ","time":"2024-05-08T06:36:04Z"}
{"level":"debug","msg":"*** Database Data Root Session created *** ","time":"2024-05-08T06:36:04Z"}
{"level":"debug","msg":"----------------------------------- ","time":"2024-05-08T06:36:04Z"}

HOMER - creating user [user=homer_user password=homer_password] 

(/app/migration/migration.go:62) 
[2024-05-08 06:36:04]  pq: role "homer_user" already exists 

(/app/migration/migration.go:62) 
[2024-05-08 06:36:04]  [0.72ms]  CREATE USER "homer_user" WITH PASSWORD 'homer_password'  
[0 rows affected or returned ] 

DONE 

HOMER - show users 
    Role name   |   Attributes
------------------------------------------------
    health_check    |       
    homer_user  |       
    postgres    |   superuser, create database  
    replication |       
    sr_check_user   |       

DONE
hamidrhashmi commented 4 months ago

I followed this blog to configure SSL on Postgres. May you have to follow Step 6 to resolve no pg_hba.conf entry for host.

rnalrd commented 4 months ago

my pg_hba.conf does not allow non-SSL connections, that is why there's the error with "no encryption":

{"level":"error","msg":"pq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}
{"level":"error","msg":"Couldn't establish connection. Please be sure you can have correct passwordpq: no pg_hba.conf entry for host \"dead:beef::1016::169\", user \"postgres\", database \"postgres\", no encryption","time":"2024-05-08T06:35:22Z"}

When I add the CLI option -database-ssl-mode=require the connection is accepted. The problem is that "usessl: true" in config does not do its job, I need to specify via CLI that I want an SSL connection.

adubovikov commented 3 months ago

we can add the custom fields

adubovikov commented 3 months ago

https://github.com/sipcapture/homer-app/commit/9e5c7b8c60121ef08e3208468e0c058c279ce40e

please test it, you can specify any params inside

adubovikov commented 1 month ago

closed as resolved