Skip to main content

Secure Database Lab Engine

To make your work with Database Lab Engine API or CLI secure, install and configure NGINX with a self-signed SSL certicate.

Set ${IP_OR_HOSTNAME} for your instance, using either its hostname or the IP address:

export IP_OR_HOSTNAME="$(curl https://ipinfo.io/ip)"

Install NGINX:

sudo apt-get install -y nginx openssl

Set ${YOUR_OWN_PASS} environment variable for certificate generation:

read -sp 'Enter custom password: ' YOUR_OWN_PASS

Generate an SSL certificate request:

mkdir -p ~/sslcd ~/ssl
# TODO: Use https://github.com/suyashkumar/ssl-proxy instead.# To generate certificates, use, for instance, Let's Encrypt# (e.g. https://zerossl.com/free-ssl/#crt).# Here we are generating a self-signed certificate.
openssl genrsa -des3 -passout pass:${YOUR_OWN_PASS} -out server.pass.key 2048openssl rsa -passin pass:${YOUR_OWN_PASS} -in server.pass.key -out server.keyrm server.pass.key
# Will ask a bunch of questions which should be filled with answers.openssl req -new -key server.key -out server.csr

Finish the SSL certificate generation and configure NGINX (do not forget to set $IP_OR_HOSTNAME as described above!). Website https://nginxconfig.io/ can also be helpful when you prepare an NGINX config file. Here is a basic example:

openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key \  -out server.crt
sudo mkdir -p /etc/nginx/sslsudo cp server.crt /etc/nginx/sslsudo cp server.key /etc/nginx/ssl
cat <<CONFIG > defaultserver {  listen 443 ssl;
  ssl on;  ssl_certificate /etc/nginx/ssl/server.crt;   ssl_certificate_key /etc/nginx/ssl/server.key;
  server_name ${IP_OR_HOSTNAME};  access_log /var/log/nginx/database_lab.access.log;  error_log /var/log/nginx/database_lab.error.log;  location / {    proxy_set_header   X-Forwarded-For \$remote_addr;    proxy_set_header   Host \$http_host;    proxy_pass         "http://127.0.0.1:2345";  }}CONFIG
sudo cp default /etc/nginx/sites-available/default
sudo systemctl restart nginx
# See also (though here it was not used, it might be helpful):# https://nginxconfig.io/

Now we can check the status using HTTPS connection (here we use --insecure flag to allow working with the self-signed certificate we have generated above):

curl \  --insecure \  --include \  --request GET \  --header 'Verification-Token: secret_token' \  https://${IP_OR_HOSTNAME}/status