If your infrastructure lacks a certification center, you can use a self-signed certificate for connection securing.
To issue the certificate, perform the following actions in the server terminal as an administrator (root):
Go to the /etc/ssl directory.
Generate a private key and the self-signed certificate.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/progate.key \ -out /etc/ssl/certs/progate.crt
The command above generates the key file and the self-signed certificate, both valid for 365 days. Specify the following values as prompted by the command:
Country Name (2 letter code) [AU]: The
two-character country code.
State or Province Name (full name) [Some-State]:
The name of the region.
Locality Name (eg, city) []: The name of
the city.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
The name of the company.
Organizational Unit Name (eg, section) []:
The name the company business unit.
Common Name (e.g. server FQDN or YOUR name) []:
The address that will be used to connect to the
Postgres ProGate web application,
for example, progate.example.com.
Email Address []: The administrator email.
The web server configuration is generally located in the
/etc/nginx directory, but the file structure may
vary depending on the operating system distribution. For example,
the virtual server configuration is located in different directories
for the following operating systems:
For Debian-based operating systems
(for example, Astra Linux), in the
/etc/nginx/sites-enabled/ directory.
For Red Hat-based operating systems
(for example, RED OS), in the
/etc/nginx/vhosts/ directory.
For more information about location and structure of the configuration tree, refer to the official documentation of your operating system.
The configuration procedure described below assumes that the web server
configuration is located in the /etc/nginx/ directory
and the virtual server parameters are located in the
/etc/nginx/conf.d/ directory. Perform the following
actions to configure the web server:
Place the progate.crt file in the
/etc/ssl/certs/ directory.
Place the progate.key file in the
/etc/ssl/private/ directory.
The progate.crt and progate.key
files must be owned by the administrator (root) with
644 rw-r--r-- and 600 rw-------
access rights, respectively. To change access rights, execute the
following command:
chown root:root /etc/ssl/certs/progate.crt /etc/ssl/private/progate.key chmod 600 /etc/ssl/private/progate.key chmod 644 /etc/ssl/certs/progate.crt
Create the /etc/nginx/conf.d/progate.example.com.conf
configuration file of the virtual server with the following content:
server {
listen 80 default_server;
server_name _;
return 301 https://progate.example.com$request_uri;
}
server {
listen 443 ssl default_server;
server_name progate.example.com;
ssl_certificate /etc/ssl/certs/progate.crt;
ssl_certificate_key /etc/ssl/private/progate.key;
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
sub_filter_once off;
sub_filter **CSP_NONCE** $request_id;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "
default-src 'none';
script-src 'self' 'nonce-$request_id';
style-src 'self' 'nonce-$request_id';
img-src 'self' data:;
font-src 'self';
connect-src 'self';
form-action 'self';
base-uri 'self';
frame-ancestors 'none';
frame-src 'none';
object-src 'none';
" always;
root /opt/pgpro/progate/ui;
location = /docs {
try_files /index.html =404;
}
location = /docs/ {
try_files /index.html =404;
}
location ~ ^/docs/(ru|en)/ {
try_files $uri =404;
}
location / {
index index.html;
try_files $uri $uri/ /index.html;
}
location /api {
try_files $uri @api;
}
location @api {
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 180s;
}
location ~ /\.(ht|git|svn|env) {
deny all;
}
location ~ /\. {
deny all;
}
}
For the documentation section in the web application to operate
correctly, configure routing for the /docs path.
To do this, set separate location parameters for
/docs. If you specify only common
location / with try_files,
requests to /docs and /docs/
may be handled differently than the web application expects (including
documentation access errors). Specify the following parameters:
location = /docs and
location = /docs/: The exact URI matches.
The request returns the index.html file of
the documentation entry point.
location ~ ^/docs/(ru|en)/: Static
documentation files for the ru and
en locales. If a file is missing at the URI,
the 404 response is returned without the
index.html file, so as not to hide
incorrect paths. If you need to support other languages, specify
additional language codes in the regular expression.
The root /opt/pgpro/progate/ui; configuration
parameter specifies the directory, where the
progate-gui package is installed by default.
If you move the package content to a different directory, modify
this parameter to reflect the actual location.
The proxy_pass http://127.0.0.1:8081;
configuration parameter assumes that the following configuration
parameters of the Postgres ProGate backend
are set to corresponding values:
PROGATE_HTTP_SERVER_HOST="127.0.0.1" and
PROGATE_HTTP_SERVER_PORT="8081".
Check that the configuration is correct by running the
nginx -t command. If no errors occur, the output
is as follows:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
In case of errors, check that all the parameters above are specified correctly.
If no errors are found, restart the web server by executing
systemctl restart nginx. After the successful
restart, the Postgres ProGate web application
will be available at https://progate.example.com.