sosedoff / pgweb

Cross-platform client for PostgreSQL databases
https://sosedoff.github.io/pgweb
MIT License
8.63k stars 732 forks source link

Secure connection with SSL #84

Closed Garbee closed 9 years ago

Garbee commented 9 years ago

I would love to leave pgweb running for quick access any-time I need it. However, I don't see a way to secure the connection to the web interface using HTTPS. In my case I have a wildcard cert that will work perfect if I could just tell pgweb to use it somehow.

Is there any current way to secure the connection to pgweb with HTTPS?

Any possibility of this being added in the future?

sosedoff commented 9 years ago

Hi. You could use nginx as a proxy in front of pgweb, configuration in this case would super simple if you already have your ssl certificate. The reason why ssl is not supported out of the box is because of the same lack of ssl support in gin web framework used by pgweb.

Garbee commented 9 years ago

ah, nginx proxy! I was looking for some way to handle it with my current stack, forgot it does proxying. Thanks for the recommendation.

This issue may help others too searching at least. Will close up since that handles what I need.

Garbee commented 9 years ago

For anyone else wanting this, I setup an nginx site with this config:


server {
    listen [::]443 ssl spdy;
    listen 443 ssl spdy;

    servername sub.site.com;

    include h5bp/directive-only/ssl.conf; # From the H5BP Nginx Server Configs, very handy stuff.

    location / {
        proxy_pass http://localhost:9999; # set port/domain to whatever you run pgweb bound to.
        proxy_set_header Host $host;
        proxy_set_header X-Real-Ip $remote_addr;  # Not even sure if these last two are needed, just pulled from the nginx wiki example.
    }
}

Boom, nginx proxying to pgweb just fine with full SSL!

sosedoff commented 9 years ago

Thanks! I will add that to wiki

firanto commented 8 years ago

Any idea how to do it using apache2?

Garbee commented 8 years ago

@kurotsukikaitou Just search for Apache reverse proxy instructions. That's all my nginx config is doing.

sosedoff commented 8 years ago

@kurotsukikaitou also keep in mind that running pgweb on your production servers is not recommended for security reasons.

firanto commented 8 years ago

Well.. I planning just running it only when I need to access it. Otherwise, I'll kill the process.

sosedoff commented 8 years ago

There are a couple of options to consider if you need to connect to your production database:

  1. Setup pgweb username and password (there's no default), and perhaps a read-only database user.
  2. If you're using ssh keys to connect to the server you can use pgweb's built-in ssh tunnel feature or using native ssh client (https://github.com/sosedoff/pgweb/wiki/SSH-Gateway)
Garbee commented 8 years ago

Protect it with a password (htaccess) and it should be fine unless it gets brute forced. Otherwise I don't see any other potential hole from it in this context as to any other part of your server getting attacked.