This instance of envelope was installed as @prefix@/sbin/envelope (Usually /usr/local/sbin/envelope)
envelope
[-h | --help]
[-v | --version]
[-c <config-file> | --config-file=<config-file>]
[-d <connection-file> | --connection-file=<connection-file>]
[-y <app-path> | --app-path=<app-path>]
[-z <role-path> | --role-path=<role-path>]
[-r <web-root> | --web-root=<web-root>]
[-p <port> | --envelope-port=<port>]
[-j <tls-cert> | --tls-cert=<tls-cert>]
[-k <tls-key> | --tls-key=<tls-key>]
[-l <log-level> | --log-level=<log-level>]
[-t <login-timeout> | --login-timeout=<login-timeout>]
[-u <public-username> | --public-username=<public-username>]
[-w <public-password> | --public-password=<public-password>]
[-q <log-queries-over> | --log-queries-over=<log-queries-over>]
[-a <log-queries-over-action-name> | --log-queries-over-action-name=<log-queries-over-action-name>]
[-f <api-referer-list> | --api-referer-list=<api-referer-list>]
[-i <allow-public-login> | --allow-public-login=<allow-public-login>]
[-j <public-api-referer-list> | --public-api-referer-list=<public-api-referer-list>]
[-2 <2fa-function> | --2fa-function=<2fa-function>]The envelope utility is a tool to make using your PostgreSQL database fast and easy. It provides web access and can be used on a tablet, or even on a phone.
All log output is pushed to stderr, if you are pushing that to a file, then you must handle rotating the file yourself or it will get large and slow envelope down.
-h or --help
Print usage and exit
-v or --version
Print version information and exit
-c or --config-file=
String; defaults to @prefix@/etc/envelope/envelope.conf
You can use this option to tell Envelope where to look for the configuration file. A sample configuration file is provided in @prefix@/etc/envelope. If there is no file specified Envelope will look in the current directory for a config file. If no config file is found Envelope will proceed with default values.
The following options can be specified on the command line or in the configuration file. In the event a value is specified on the command line and in the config file, Envelope will always use the command line option. Note that if no option is specified then some options will be set to a default value.
[command line short] or [command line long] or [config file]
-d or --connection-file= or connection_file=
String; defaults to @prefix@/etc/envelope/envelope-connections.conf
When you install Envelope, the Makefile will generate a path to the sample envelope-connections.conf file and put it in the sample config file. Use this option to tell Envelope where your connection list is located.
If not specified, Envelope looks in the same folder as the config file for a file named envelope-connections.conf. If Envelope can't find a connection file, it will error.
-s or --super-only= or super_only=
Boolean; defaults to false
This tells Envelope whether or not to only allow super users to login. The recommended value is true and will restrict users who are not super users from logging in to any PostgreSQL instance through Envelope. Note that a connection will be made to PostgreSQL in order to test if the user is a superuser.
-g or --login-group= or login_group=
String; no default
This tells Envelope to only allow users in a certain PostgreSQL group to login to Envelope. Note that a connection will be made to PostgreSQL in order to test if the user is a member of the login group.
-r or --web-root= or web_root=
String; Defaults to @prefix@/etc/envelope/web_root
This tells Envelope where the HTML files have been installed to.
-y or --app-path= or app_path=
String; defaults to @prefix@/etc/envelope/app
This tells Envelope where the app HTML files have been installed to.
-z or --role-path= or role_path=
String; defaults to @prefix@/etc/envelope/role
This tells Envelope where the role DATA files have been installed to.
-p or --envelope-port= or envelope_port=
Integer; defaults to 8888
This tells Envelope what port to listen on for browser requests. If the port starts with the string "unix:", then it is interpreted as a file path for a unix socket.
-j or --tls-cert= or tls_cert=
-k or --tls-key= or tls_key=
String; no defaults
These options tell Envelope where the TLS Certificate and Key files reside. If you use these options then you'll only be able to access Envelope through a secure TLS connection.
These options are only necessary if you wish to connect directly to Envelope using a secure TLS connection. As an alternative, you can set up Envelope in a reverse proxy configuration. This allows your web server to terminate the secure connection and pass on the request to Envelope. You can find help to set up this configuration in the INSTALL_NGINX file that came with your distribution.
-n or --allow-custom-connections= or allow_custom_connections=
Boolean; defaults to false
This tells Envelope whether or not to allow anyone to use a custom connection from the login screen.
-l or --log-level= or log_level=
String; defaults to error
This option regulates the frequency and verbosity of log messages. Possible values are none, error, warn, notice and info.
-t or --login-timeout= or login_timeout=
Integer; defaults to 3600
This option regulates the login timeout (in seconds) after the last activity on a session.
If 0, no timeout is enforced.
-u or --public-username= or public_username=
-w or --public-password= or public_password=
String; no defaults
This option tells envelope than public actions should use these credentials, if they are unset, then public actions are disabled.
-q or --log-queries-over= or log_queries_over=
Integer; 120
-a or --log-queries-over-action-name= or log_queries_over_action_name=
String; no default
log_queries_over will tell envelope to check every log_queries_over / 10 seconds for queries (run by envelope) that have been running longer than log_queries_over seconds. If you have log_queries_over_action_name set as well, then it will run the PostgreSQL function named. Note: log_queries_over_action_name requires a public user to be setup, envelope uses the public user to connect at startup and runs the action for every query it detects.
-f or --api-referer-list= or api_referer_list=
String; no defaults, required
-j or --public-api-referer-list= or public_api_referer_list=
String; defaults to api-referer-list
api_referer_list controls the Referers allowed to run API calls when logged in. public_api_referer_list is the same, but only applies to no-cookie API calls. Note: Referer is spelled as such because that is the way it is spelled in RFC 1945.
-i or --allow-public-login= or allow_public_login=
Boolean; defaults to false
If enabled, you can use /env/authnc to set a cookie with the public user credentials.
-2 or --2fa-function= or 2fa_function=
String; no defaults, optional
-m or --2fa-timeout= or 2fa_timeout=
Integer; defaults to 300 seconds (5 minutes)
Setting this parameter gives you an extra layer of login security. The value of the parameter should be a function named that takes a single text parameter (the user's login name) and returns text (the token itself) like so: CREATE OR REPLACE FUNCTION public.token_2fa(str_user text) RETURNS text. The function should generate a token and then transmit it to the user via some second channel (i.e. an email, SMS, or other IM). envelope will direct users to a second screen for them to enter the token and allow them to continue only if they enter the correct token. The user will also have an option to send a new token. 2fa_timeout determines how long a token remains valid. If the token function returns an empty string, then the 2fa is skipped. Note that 2fa does not apply to No Cookie authentication. If 2fa is enabled, Cookies will not expire for 100 years and they are no longer restricted by ip address.
Envelope requires at least one PostgreSQL server be listed in the envelope-connections.conf file. This version of Envelope doesn't allow you to specify a server from the command line. Enter only one PostgreSQL server per line. For envelope, only the first server is used.
The format of a connection string is:
[server name]: [standard PostgreSQL connection string]Detailed information about PostgreSQL connection strings is available here
If you put a username in this connection string, Envelope will connect as that user (using .pgpass or whatever other means of authentication you set up), then check the password against pg_authid, then SET SESSION AUTHORIZATION afterwards.
It is recommended to have a superuser in your database specifically for envelope.
The recommended script for creating this user is:
CREATE ROLE <username> LOGIN SUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION PASSWORD '<password>'Of course, you should choose a name and password that doesn't have 'envelope' in it, otherwise the people who try to break into your database can make that assumption.
nuc-server: hostaddr=192.168.0.100 port=5432 dbname=postgres
mini-server: hostaddr=127.0.0.1 port=5432 dbname=postgres sslmode=requireRun envelope (short argument):
@prefix@/sbin/envelope -c @prefix@/etc/envelope/envelope.conf -d @prefix@/etc/envelope/envelope-connections.confRun envelope (long argument):
@prefix@/sbin/envelope --config-file=@prefix@/etc/envelope/envelope.conf --connection-file @prefix@/etc/envelope/envelope-connections.confTry accessing your database through psql. If you can, double check your connection string parameters. If you can't connect, you may have a firewall problem.
Copyright (c) 2021 Workflow Products, LLC
Created by Annunziato Tocci
Report bugs to here
Send us feedback! Current contact information can be found at workflowproducts.com