SSL/TLS encrypted connections

[animentork]

On the login/connection page, what happens with my password when I hit "Connect"? Is it sent in plain text over the network? By default, pgweb doesn't use TLS and I can't seem to find anything on whether it's recommended to configure it and how to do it.

[sosedoff]

There's no TLS out of the box, so you should never run pgweb in untrusted environments. Folks have been running pgweb in combination with ELB or behind nginx + letsencrypt. It really just depends on your environment.

[sosedoff]

Ideally you run pgweb on your machine over vpn connection to the db

[animentork]

Thank you, I've followed your advice about nginx, but I'm not sure if I get the configuration right. Does this seem right to you?

http {
    server {
        listen                      3456 ssl;
        server_name                 localhost;
        ssl_certificate                         server.crt;
        ssl_certificate_key                 server.key;
        ssl_ciphers                 HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers                   on;
        location / {
            proxy_pass              https://127.0.0.1:3457;
        }
        error_page                  497 https://$host:$server_port$request_uri;
    }
}

[animentork]

It works! I needed to change https to http in this line:

proxy_pass http://127.0.0.1:3457;

Which makes sense.