Documentation for using TLS for https login?

Do you have any documentation on how to setup https login using TLS on PMM2? Or, am I essentially just going to use the Grafana documentation? (would anything in the pre-baked PMM setup over-write my changes?) I did a brief scan of the PMM documentation and nothing popped out at me.

I am going to assume you mean using a custom certificate vs the self-signed one we ship with. If so, this documentation just completed this sprint but I don’t think has been published yet. The grafana docs wouldn’t help because I think SSL termination at the container is done with nginx but the instructions should account for upgrades. It’ll be important though to have a separate data volume for your PMM server to make sure you don’t lose anything if you did a container upgrade vs the in-place UI upgrade. I’ll see if I can find out when the next doc’s update will be and update this thread.

@steve.hoffman Thank you, that is exactly what I meant, my cert terminology is a little weak. PMM2 got flagged on a corporate security scan so that’s where I’m coming from. I do indeed have a separate pmm-data container, so I look forward to seeing the documentation!

Closing the loop officially on this one: Here’s the page I mentioned earlier. Please don’t hesitate to provide feedback if you think we can make it better!

Deleting my question, I forgot to disable port 80 in my docker-compose.

@steve.hoffman how do we setup reverse proxy in front of pmm-server? That way we don’t have to type IP address instead domain address. Also we would be able to use LetsEncrypt certificates. Thanks.

There already is a reverse proxy in front of PMM (inside the container): nginx. By default it will respond to whatever you ask it: IP, A record, CNAME and will route links to the appropriate service inside the container. For instance we did nothing extra to get our PMM demo site to answer both to pmmdemo.percona.com vs by direct IP (which you can do an nslookup and test but be aware the IP is not static so I wouldn’t bookmark by IP).

The instructions above should also let you use LetsEncrypt certs as well as you’d override the default ones we ship with PMM (which I believe are also LetsEncrypt certs).

If you have a need for a second reverse proxy, could you explain as it’s probably doable but would probably mess with things like logs/debugging that track request IP.

@steve.hoffman Thanks that works perfectly fine. All I had to was just copy certificates into container and reload nginx (and grafana secure_cookie setting). No need of another nginx in front of it.