Add nginx configuration

powa-team · Apr 28, 2023 · 169f0d4 · 169f0d4
1 parent 936922b
commit 169f0d4
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 4 deletions.
diff --git a/docs/components/powa-web/deployment.rst b/docs/components/powa-web/deployment.rst
@@ -2,15 +2,70 @@ Deployment Options
 ==================
 
 
-Apache
-------
-
-PoWA can easily be deployed using Apache mod_wsgi module.
+PoWA can be deployed easily using NGINX or Apache
 
 First you have to install and configure Powa like in the `quickstart` section.
 Check that the powa-web executable works before proceeding.
 
+NGINX
+-----
+
+You can use NGINX as a reverse proxy to PoWA. It makes it possible to bind it
+to system ports (lower than 1024), and add HTTPS.
+
+Just add a new site to your configuration. Depending on your distribution, it will be
+somewhere like /etc/nginx/sites (RedHat derivatives), /etc/nginx/sites-available
+(Debian derivatives, you'll have to then do a symlink to /etc/nginx/sites-enabled to enable this site).
+
+Put this, for example, in the configuration file (if you just want HTTPS proxying, and no virtualhost):
+
+.. code-block:: nginx
+
+    server {
+      listen 0.0.0.0:443 http2 ssl default_server;
+      server_name _;
+
+      ssl_certificate /etc/pki/tls/certs/self-signed.pem;
+      ssl_certificate_key /etc/pki/tls/certs/self-signed.key;
+
+      access_log /var/log/nginx/access.log upstream;
+      error_log /var/log/nginx/error.log;
+
+      client_max_body_size 15M;
+
+      location / {
+        proxy_pass http://127.0.0.1:8888;
+      }
+    }
+
+You'll obviously need to produce certificates, which is out of scope of this documentation.
+
+If you just need HTTP, just change listen to 0.0.0.0:80, and remove ssl. Something like this:
+
+.. code-block:: nginx
+
+    server {
+      listen 0.0.0.0:80 http2 default_server;
+      server_name _;
+
+      ssl_certificate /etc/pki/tls/certs/self-signed.pem;
+      ssl_certificate_key /etc/pki/tls/certs/self-signed.key;
+
+      access_log /var/log/nginx/access.log upstream;
+      error_log /var/log/nginx/error.log;
+
+      client_max_body_size 15M;
+
+      location / {
+        proxy_pass http://127.0.0.1:8888;
+      }
+    }
+
+
+Apache
+------
 
+PoWA can also easily be deployed using Apache mod_wsgi module.
 
 In your apache configuration file, you should:
 

diff --git a/docs/security.rst b/docs/security.rst
@@ -45,6 +45,13 @@ Therefore, for each postgres roles using powa, you also need to:
 
 If you don't, some useful parts of the UI won't work as intended.
 
+TLS and default HTTP/HTTPS ports
+--------------------------------
+
+As powa-web is just a python script, it's probably better not to run it as root. This means it won't be able to bind to the default HTTP port.
+
+The most secure way of doing is putting a reverse proxy, like nginx, in front of it. You'll also get the possibility of using an SSL certificate.
+
 PoWA-archivist & PoWA-collector in remote mode
 **********************************************