Panorama: Configure https access to Docker container with Nginx

The Oracle performance analysis app Panorama as Docker container does not natively support https-connections.

But securing http-access to Panorama can easily be reached by running the Panorama-container behind a reverse proxy.

This example shows using Nginx as reverse proxy and docker-compose to place Panorama behind the reverse proxy.

I've used already existing own SSL-certificates for the target host.
Obviously you may want to use certificates generated by Lets Encrypt but this often doesn't work in company environments behind firewalls.

Place the pem- and key-file of your certificate combined with the two files "docker-compose.yml" and "nginx.conf" in one directory and run "docker-compose up" to start Panorama and Nginx.

Example for nginx.conf (replace certificate file names):

# Nginx config for Panorama
# Peter Ramm, 22.03.2019

events {
}

http {
  # Redirect all http traffic on port 80 to https 443
  server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
  }

  server {
    server_name _;
    listen 443 ssl;

    ssl_certificate /etc/nginx/ssl_certificates/mycert.pem;
    ssl_certificate_key /etc/nginx/ssl_certificates/mycert.key;

    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;

    # Redirect ../Panorama to docker container with IP-Address panorama
    location /Panorama {
      proxy_pass http://panorama:8080/Panorama;
      # Set header to prevent "HTTP Origin header didn't match request.base_url"
      proxy_set_header  Host $host;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header  X-Forwarded-Ssl on; # Optional
      proxy_set_header  X-Forwarded-Port $server_port;
      proxy_set_header  X-Forwarded-Host $http_host;
      proxy_set_header  X-Real-IP $remote_addr;

      # Timout-Handling is done by Panorama itself
      proxy_read_timeout  3600;
    }

    # Redirect call on root to ../Panorama
    location / {
        return 301 https://$host/Panorama;
    }
  }
}

Example for docker-compose.yml 

# Run Panorama with SSL fassade
# Peter Ramm, 22.03.2019

version: '3'
services:
  nginx:
    restart: always
    image: nginx:latest
    container_name: nginx
    networks:
      - web
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./:/etc/nginx/ssl_certificates/
    ports:
      - 80:80
      - 443:443

  panorama:
    restart: always
    image: rammpeter/panorama:latest
    container_name: panorama
    expose:
      - "8080"
    environment:
      - TNS_ADMIN=/etc
      - TZ=Europe/Berlin
      - MAX_JAVA_HEAP_SPACE_MB=4096
      - PANORAMA_VAR_HOME=/var/opt/panorama
      - PANORAMA_SAMPLER_MASTER_PASSWORD=$PANORAMA_SAMPLER_MASTER_PASSWORD
      - LOG_LEVEL=info
    networks:
      - web
    volumes:
      - $TNS_ADMIN/tnsnames.ora:/etc/tnsnames.ora
      - /var/opt/panorama:/var/opt/panorama

networks:
  web:

In result Panorama is served at 
https://<myhost>/Panorama
.
Calling 
http://<myhost>
and 
https://<myhost>
would be redirected to 
https://<myhost>/Panorama
.

Comments

Post a Comment

Popular posts from this blog

Oracle-DB: How to check for appropriate sequence caching

Image
A common pitfall while using sequences in Oracle-DB is forgetting to define sequence caching. The default for sequences is cache size = 0. That means, every sequence.nextval operation triggers a single write operation on dictionary table sys.SEQ$. Especially if frequently calling sequence.nextval uncached sequences may cause significant performance degradation. Frequently calling sequence.nextval in parallel sessions may lead to ramdom lock scenarios in library cache. Setting a cache size for a sequence may heavy increase performance of nextval-operations. There's a minimal memory overhead for caching a sequence because all that's needed is a counter to increase in SGA memory and a upper limit. If this limit is reached with the counter, the upper limit is increased by cache size and the new upper limit is written down once to SEQ$. The possible drawback for sequence caching is that you loose all your values between the current value and the highest cached value if yo
Read more

Common pitfalls using SQL*Net via Firewalls

It's very common that firewalls are terminating idle TCP sessions after a limited time, often after approximately one hour. Possible problem If you have a long running SQL or PL/SQL program and the firewall terminates your apparently idle TCP session this may lead to the following scenario: the database is not able to send result to client. After reaching the TCP-timeout the database server terminates the DB-Session the client program stays in socket read forever waiting for the database response Oracle's full solution: SQLNET.EXPIRE_TIME=x in sqlnet.ora Oracle's solution for this problem is setting parameter SQLNET.EXPIRE_TIME=x in sqlnet.ora where x are the minutes between keep alive packets on idle sessions that inform the firewall that this session is always alive. SQLNET.EXPIRE_TIME hast to be set in the sqlnet.ora of your RDBMS' ORACLE_HOME. Normally $ORACLE_HOME/network/admin. If you have a grid infrastructure setting SQLNET.EXPIRE_TIME in sqlnet
Read more

Oracle-DB: Identify excessive logon/logoff operations with short-running sessions

Image
Creating and destroying database sessions in loop may lead to significant database load. This blog post contains more about quantifying this load. Applications should use connection pooling at client or database side to prevent excessive session creation. But how can I identify the client processes causing this sessions? Scan DBA_Audit_Trail to identify context info If auditing logon/logoff-operations is activated for your database, scan DBA_Audit_Trail. You can do this by 2 was: Alternative 1: Use my tool "Panorama" to evaluate audit trail Panorama is available here. Go to menu "DBA general" / "Audit Trail": Select start and end time for selection Filter column "Action" for "LOGON" Set "Grouping" to "Minute" Execute selection via button "Show audit trail" Add columns of your choice to diagram by context menu (right mouse button) This way you can identify the machine, DB-user
Read more