Closed animentork closed 2 years ago
There's no TLS out of the box, so you should never run pgweb in untrusted environments. Folks have been running pgweb in combination with ELB or behind nginx + letsencrypt. It really just depends on your environment.
Ideally you run pgweb on your machine over vpn connection to the db
Thank you, I've followed your advice about nginx, but I'm not sure if I get the configuration right. Does this seem right to you?
http {
server {
listen 3456 ssl;
server_name localhost;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://127.0.0.1:3457;
}
error_page 497 https://$host:$server_port$request_uri;
}
}
It works! I needed to change https to http in this line:
proxy_pass http://127.0.0.1:3457;
Which makes sense.
On the login/connection page, what happens with my password when I hit "Connect"? Is it sent in plain text over the network? By default, pgweb doesn't use TLS and I can't seem to find anything on whether it's recommended to configure it and how to do it.