Panorama: Configure https access to Docker container with Nginx

The Oracle performance analysis app Panorama as Docker container does not natively support https-connections.

But securing http-access to Panorama can easily be reached by running the Panorama-container behind a reverse proxy.

This example shows using Nginx as reverse proxy and docker-compose to place Panorama behind the reverse proxy.

I've used already existing own SSL-certificates for the target host.
Obviously you may want to use certificates generated by Lets Encrypt but this often doesn't work in company environments behind firewalls.

Place the pem- and key-file of your certificate combined with the two files "docker-compose.yml" and "nginx.conf" in one directory and run "docker-compose up" to start Panorama and Nginx.

Example for nginx.conf (replace certificate file names):

# Nginx config for Panorama
# Peter Ramm, 22.03.2019

events {
}

http {
  # Redirect all http traffic on port 80 to https 443
  server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
  }

  server {
    server_name _;
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl_certificates/mycert.pem;
    ssl_certificate_key /etc/nginx/ssl_certificates/mycert.key;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;

    # Redirect ../Panorama to docker container with IP-Address panorama
    location /Panorama {
      proxy_pass http://panorama:8080/Panorama;
      # Set header to prevent "HTTP Origin header didn't match request.base_url"
      proxy_set_header  Host $host;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header  X-Forwarded-Ssl on; # Optional
      proxy_set_header  X-Forwarded-Port $server_port;
      proxy_set_header  X-Forwarded-Host $http_host;
      proxy_set_header  X-Real-IP $remote_addr;

      # Timout-Handling is done by Panorama itself
      proxy_read_timeout  3600;
    }

    # Redirect call on root to ../Panorama
    location / {
        return 301 https://$host/Panorama;
    }
  }
}

Example for docker-compose.yml 

# Run Panorama with SSL fassade
# Peter Ramm, 22.03.2019

version: '3'
services:
  nginx:
    restart: always
    image: nginx:latest
    container_name: nginx
    networks:
      - web
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./:/etc/nginx/ssl_certificates/
    ports:
      - 80:80
      - 443:443

  panorama:
    restart: always
    image: rammpeter/panorama:latest
    container_name: panorama
    expose:
      - "8080"
    environment:
      - TNS_ADMIN=/etc
      - TZ=Europe/Berlin
      - MAX_JAVA_HEAP_SPACE_MB=4096
      - PANORAMA_VAR_HOME=/var/opt/panorama
      - PANORAMA_SAMPLER_MASTER_PASSWORD=$PANORAMA_SAMPLER_MASTER_PASSWORD
      - LOG_LEVEL=info
    networks:
      - web
    volumes:
      - $TNS_ADMIN/tnsnames.ora:/etc/tnsnames.ora
      - /var/opt/panorama:/var/opt/panorama

networks:
  web:

In result Panorama is served at 
https://<myhost>/Panorama
.
Calling 
http://<myhost>
and 
https://<myhost>
would be redirected to 
https://<myhost>/Panorama
.

Comments

Post a Comment

Popular posts from this blog

Common pitfalls using SQL*Net via Firewalls

It's very common that firewalls are terminating idle TCP sessions after a limited time, often after approximately one hour. Possible problem If you have a long running SQL or PL/SQL program and the firewall terminates your apparently idle TCP session this may lead to the following scenario: the database is not able to send result to client. After reaching the TCP-timeout the database server terminates the DB-Session the client program stays in socket read forever waiting for the database response Oracle's full solution: SQLNET.EXPIRE_TIME=x in sqlnet.ora Oracle's solution for this problem is setting parameter SQLNET.EXPIRE_TIME=x in sqlnet.ora where x are the minutes between keep alive packets on idle sessions that inform the firewall that this session is always alive. SQLNET.EXPIRE_TIME hast to be set in the sqlnet.ora of your RDBMS' ORACLE_HOME. Normally $ORACLE_HOME/network/admin. If you have a grid infrastructure setting SQLNET.EXPIRE_TIME in sqlnet
Read more

Oracle-DB: How to check for appropriate sequence caching

Image
A common pitfall while using sequences in Oracle-DB is forgetting to define sequence caching. The default for sequences is cache size = 0. That means, every sequence.nextval operation triggers a single write operation on dictionary table sys.SEQ$. Especially if frequently calling sequence.nextval uncached sequences may cause significant performance degradation. Frequently calling sequence.nextval in parallel sessions may lead to ramdom lock scenarios in library cache. Setting a cache size for a sequence may heavy increase performance of nextval-operations. There's a minimal memory overhead for caching a sequence because all that's needed is a counter to increase in SGA memory and a upper limit. If this limit is reached with the counter, the upper limit is increased by cache size and the new upper limit is written down once to SEQ$. The possible drawback for sequence caching is that you loose all your values between the current value and the highest cached value if yo
Read more

Oracle-DB: Link between audit trail and active session history

Unfortunately the audit trail of the Oracle-DB uses a different session identifier (AudSid) than the Active Session History (SID + Serial#). Both identifiers are available in v$Session (AudSid, SID, Serial#). So during lifetime of a session it is possible to link between the session info from v$Session an audit trail. But neither the AudSID is stored in ASH (v$Active_Session_History) nor the SID + Serial# is stored in audit trail. This prevents from combining session info of both sources after the session is closed. There is a possible way to link audit trail with ASH by establishing a logon trigger for that. The LOGOFF records in audit trail (if AUDIT SESSION is active) record also the Client_Identifier from v$Session. So supplying v$Session.Client_Identifier with the needed info allows to retrieve it from DBA_Audit_Trail.Client_ID.  This logon trigger does it: CREATE OR REPLACE TRIGGER Client_ID AFTER LOGON ON DATABASE -- Put unique session identifier into client-id to have it a
Read more