Secure¶
You can improve the security of your PMM installation with:
-
SSL encryption to secure traffic between client and server;
To see which security features are enabled:
pmm-admin status
Tip
You can gain an extra level of security by keeping PMM Server isolated from the internet, if possible.
SSL encryption¶
You need valid SSL certificates to encrypt traffic between client and server.
With our Docker, OVF and AMI images, self-signed certificates are in /srv/nginx.
To use your own, you can either:
-
mount the local certificate directory to the same location, or,
-
copy your certificates to a running PMM Server container.
Mounting certificates¶
For example, if your own certificates are in /etc/pmm-certs:
docker run -d -p 443:443 --volumes-from pmm-data \
--name pmm-server -v /etc/pmm-certs:/srv/nginx \
--restart always percona/pmm-server:2
- The certificates must be owned by root. You can do this with:
chown 0:0 /etc/pmm-certs/* - The mounted certificate directory (
/etc/pmm-certsin this example) must contain the filescertificate.crt,certificate.key,ca-certs.pemanddhparam.pem. - For SSL encryption, the container must publish on port 443 instead of 80.
Copying certificates¶
If PMM Server is running as a Docker image, use docker cp to copy certificates. This example copies certificate files from the current working directory to a running PMM Server docker container.
docker cp certificate.crt pmm-server:/srv/nginx/certificate.crt
docker cp certificate.key pmm-server:/srv/nginx/certificate.key
docker cp ca-certs.pem pmm-server:/srv/nginx/ca-certs.pem
docker cp dhparam.pem pmm-server:/srv/nginx/dhparam.pem
Enabling SSL when connecting PMM Client to PMM Server¶
pmm-admin config --server-url=https://<user>:<password>@<server IP>
Grafana HTTPS secure cookies¶
To enable:
-
Start a shell within the Docker container.
docker exec -it pmm-server bash -
Edit
/etc/grafana/grafana.ini. -
Enable
cookie_secureand set the value totrue. -
Restart Grafana.
supervisorctl restart grafana