From ae5be11715f164231d1c49c48cf7748145238719 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 3 Jun 2024 13:29:12 +0200 Subject: [PATCH 1/7] docs(sdb): add doc on ssl/tls MTA-4669 --- menu/navigation.json | 10 ++ .../how-to/secure-connection-ssl-tls.mdx | 138 ++++++++++++++++++ 2 files changed, 148 insertions(+) create mode 100644 serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx diff --git a/menu/navigation.json b/menu/navigation.json index f648047a31..e5bbb7bc88 100644 --- a/menu/navigation.json +++ b/menu/navigation.json @@ -1831,6 +1831,16 @@ "label": "How to", "slug": "how-to" }, + { + "items": [ + { + "label": "Securing connections using SSL/TLS", + "slug": "secure-connection-ssl-tls" + } + ], + "label": "API/CLI", + "slug": "api-cli" + }, { "items": [ { diff --git a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx new file mode 100644 index 0000000000..a1062c03f9 --- /dev/null +++ b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx @@ -0,0 +1,138 @@ +--- +meta: + title: Secure connections using SSL/TLS + description: This page explains how to to configure SSL/TLS to encrypt traffic between your client and Serverless SQL Databases +content: + h1: Secure connections using SSL/TLS + paragraph: This page explains how to to configure SSL/TLS to encrypt traffic between your client and Serverless SQL Databases +dates: + validation: 2024-06-03 + posted: 2024-06-03 +--- + +This tutorial will guide you through SSL/TLS configuration in your PostgreSQL-compatible client to ensure your traffic with Scaleway's Serverless SQL Databases is encrypted. + +Configuration examples for languages, frameworks and tools: + - [Python](#pythonpsycopg2) + - [Python](#pythondjango) + - [Node.js](#nodejsnode-postgres) + - [Node.js](#nodejspostgresjs) + - [Node.js](#javajdbc) + - [psql](#psql) + +## Generic configuration settings + +Starting from PostgreSQL 16, you can setup SSL/TLS to rely on the default certification authority certificates trusted by your operating system. To do so, use the additional configuration parameters `sslmode=verify-full` and `sslrootcert=system`. + +For instance, your full connection string should be: + ```sh + postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system + ``` + + + Support for `sslmode=verify-full` and `sslrootcert=system` options can varies among SQL drivers. See documentation below or your official SQL driver's documentation for potential workarounds if these options are not supported. + + With this configuration, on your SQL client side, you will not need to download, update or renew certificates separately for PostgreSQL. Keeping your Operating System up to date should be enough to ensure your traffic is encrypted and your client send messages to the right server (protecting you against Eavesdropping and Man In The Middle Attacks). + + Alternatively, you can also download the trusted root Certificate used to signed our domain: [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), and use `sslmode=verify-full` and `sslrootcert=~/.postgresql/isrgx1root.pem`. Your full connection string should be the output of this command: + ```sh + echo "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-ca&sslrootcert=$(echo ~/.postgresql/isrgx1root.pem)" + ``` + You can find additional documentation in the official [PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-ssl.html) + + +## Examples by SQL Drivers + +### Python/psycopg2 + +As [psycopg2](https://pypi.org/project/psycopg2/) uses [libpq](https://www.postgresql.org/docs/current/libpq.html), the same official PostgreSQL parameter can be used. Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: + ```python + conn = psycopg2.connect(host={host},port={port},database={port},user={username},password={password},sslmode="verify-full",sslrootcert="system") + ``` + +### Python/Django + +Django supports the same parameters as the Python driver you are using. For instance, with [psycopg2](https://pypi.org/project/psycopg2/), you can edit your `settings.py` file and add the following `'OPTIONS': {'sslmode':'verify-full','sslrootcert':'system',}` in your database connection settings. Your complete settings should look like: + ```python + DATABASES = { + 'default': { + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': {databasename}, + 'USER': {username}, #IAM principal ID of the user or application your are connecting with + 'PASSWORD': {password}, #IAM Secret Key of the user or application your are connecting with + 'HOST': {host}, #Host formated as {database-id}.pg.sdb.{region}.scw.cloud + 'PORT': {port}, #Default port for PostgreSQL is supported: 5432 + 'OPTIONS': { + 'sslmode':'verify-full', + 'sslrootcert':'system', + } + } + } + ``` + +### Node.js/node-postgres + +[node-postgres](https://node-postgres.com/) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either default connection string option `sslmode=require` or driver specific parameter `ssl:true` option checks for certificate validity. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to add `ssl:true` parameters: + ```js + const client = new Client({ + host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud + port: {port}, //Default port for PostgreSQL is supported: 5432 + database: {databasename}, + user: {username}, //IAM principal ID of the user or application your are connecting with + password: {username}, //IAM Secret Key of the user or application your are connecting with + ssl:true + }); + ``` + +### Node.js/Postgres.js + +[Postgres.js](https://github.com/porsager/postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either default connection string option `sslmode=require` or driver specific parameter `ssl:true` option checks for certificate validity. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to add `ssl:true` parameters: + ```js + const sql = postgres({ + host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud + port: {port}, //Default port for PostgreSQL is supported: 5432 + database: {username}, + user: {username}, //IAM principal ID of the user or application your are connecting with + password: {username}, //IAM Secret Key of the user or application your are connecting with + ssl:true + }); + ``` + +### Node.js/Prisma + +Several drivers can be used with [Prisma](https://www.prisma.io/docs/orm/overview/databases/postgresql#configuring-an-ssl-connection), and you can refer to their documentation to enable SSL/TLS with them. By default Prisma uses its default built-in PostgreSQL driver which doesn't support `sslmode=verify-full` and `sslrootcert=system`, but can perform certificate validity check by using `sslmode=require` and `sslaccept=strict` specific parameters. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection string to add these parameters in your `.env` file: + ```sh + DATABASE_URL=postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require&sslaccept=strict + ``` + +### Java/JDBC + +JDBC driver doesn't support yet `sslrootcert=system` option, but supports `ssl=true` option which, when activated, by default performs certificate checks against the certificate named `root.crt` stored in `~/.postgresql`. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to set `ssl=true`, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: + ```java + String url = "jdbc:postgresql://{host}:{port}/{databasename}"; + Properties props = new Properties(); + props.setProperty("user", {username}); + props.setProperty("password", {password}); + props.setProperty("ssl", "true"); + Connection conn = DriverManager.getConnection(url,props); + ``` + Alternatively, you can also add the property "sslrootcert=full/path/to/certificate/isrgrootx1.pem" to specify the full path to the certificate without renaming it `root.crt`: + ```java + String url = "jdbc:postgresql://{host}:{port}/{databasename}"; + Properties props = new Properties(); + props.setProperty("user", {username}); + props.setProperty("password", {password}); + props.setProperty("ssl", "true"); + props.setProperty("sslrootcert", "full/path/to/certificate/isrgrootx1.pem"); + Connection conn = DriverManager.getConnection(url,props); + ``` + +## Examples for SQL Client tools + +### psql + +As the official client bundled with PostgreSQL, [psql](https://www.postgresql.org/docs/current/app-psql.html) supports the default PostgreSQL connections parameters. Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: + ```sh + psql "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system" + ``` + From 3f2cc258742e6fa8b0465cfd93ae9cbbc4e18e14 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Mon, 3 Jun 2024 18:03:58 +0200 Subject: [PATCH 2/7] docs(sdb): update --- serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx index a1062c03f9..bdf0f1ddca 100644 --- a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx @@ -10,7 +10,7 @@ dates: posted: 2024-06-03 --- -This tutorial will guide you through SSL/TLS configuration in your PostgreSQL-compatible client to ensure your traffic with Scaleway's Serverless SQL Databases is encrypted. +This documentation will guide you through SSL/TLS configuration in your PostgreSQL-compatible client to ensure your traffic with Scaleway's Serverless SQL Databases is encrypted. Configuration examples for languages, frameworks and tools: - [Python](#pythonpsycopg2) From 79f3f20308f94414ea1e113fcfffb11b4ef84fc3 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Wed, 5 Jun 2024 17:57:29 +0200 Subject: [PATCH 3/7] docs(sdb): update --- .../how-to/secure-connection-ssl-tls.mdx | 199 ++++++++++-------- 1 file changed, 116 insertions(+), 83 deletions(-) diff --git a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx index bdf0f1ddca..5fdccf9bcf 100644 --- a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx @@ -25,114 +25,147 @@ Configuration examples for languages, frameworks and tools: Starting from PostgreSQL 16, you can setup SSL/TLS to rely on the default certification authority certificates trusted by your operating system. To do so, use the additional configuration parameters `sslmode=verify-full` and `sslrootcert=system`. For instance, your full connection string should be: - ```sh - postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system - ``` - - - Support for `sslmode=verify-full` and `sslrootcert=system` options can varies among SQL drivers. See documentation below or your official SQL driver's documentation for potential workarounds if these options are not supported. - - With this configuration, on your SQL client side, you will not need to download, update or renew certificates separately for PostgreSQL. Keeping your Operating System up to date should be enough to ensure your traffic is encrypted and your client send messages to the right server (protecting you against Eavesdropping and Man In The Middle Attacks). - - Alternatively, you can also download the trusted root Certificate used to signed our domain: [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), and use `sslmode=verify-full` and `sslrootcert=~/.postgresql/isrgx1root.pem`. Your full connection string should be the output of this command: - ```sh - echo "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-ca&sslrootcert=$(echo ~/.postgresql/isrgx1root.pem)" - ``` - You can find additional documentation in the official [PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-ssl.html) + ```sh + postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system + ``` + +Support for `sslmode=verify-full` and `sslrootcert=system` options can vary among SQL drivers. Refer to the documentation below or to your official SQL driver's documentation for workarounds if these options are not supported. + +With this configuration, on your SQL client side, you will not need to download, update or renew certificates separately for PostgreSQL. + +Keeping your operating system up to date is enough to ensure your traffic is encrypted, and your client send messages to the right server (protecting you against [Eavesdropping](https://en.wikipedia.org/wiki/Network_eavesdropping) and [Man In The Middle Attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)). + +Alternatively, you can also download the trusted root Certificate used to sign our domain: [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), and use `sslmode=verify-full` and `sslrootcert=~/.postgresql/isrgx1root.pem`. + +Your full connection string should be the output of this command: + +```sh +echo "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-ca&sslrootcert=$(echo ~/.postgresql/isrgx1root.pem)" +``` + +Refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs/current/libpq-ssl.html) for more information. ## Examples by SQL Drivers ### Python/psycopg2 -As [psycopg2](https://pypi.org/project/psycopg2/) uses [libpq](https://www.postgresql.org/docs/current/libpq.html), the same official PostgreSQL parameter can be used. Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: - ```python - conn = psycopg2.connect(host={host},port={port},database={port},user={username},password={password},sslmode="verify-full",sslrootcert="system") - ``` +As [psycopg2](https://pypi.org/project/psycopg2/) uses [libpq](https://www.postgresql.org/docs/current/libpq.html), the same official PostgreSQL parameter can be used. + +Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` as shown below: +```python +conn = psycopg2.connect(host={host},port={port},database={port},user={username},password={password},sslmode="verify-full",sslrootcert="system") +``` ### Python/Django -Django supports the same parameters as the Python driver you are using. For instance, with [psycopg2](https://pypi.org/project/psycopg2/), you can edit your `settings.py` file and add the following `'OPTIONS': {'sslmode':'verify-full','sslrootcert':'system',}` in your database connection settings. Your complete settings should look like: - ```python - DATABASES = { - 'default': { - 'ENGINE': 'django.db.backends.postgresql', - 'NAME': {databasename}, - 'USER': {username}, #IAM principal ID of the user or application your are connecting with - 'PASSWORD': {password}, #IAM Secret Key of the user or application your are connecting with - 'HOST': {host}, #Host formated as {database-id}.pg.sdb.{region}.scw.cloud - 'PORT': {port}, #Default port for PostgreSQL is supported: 5432 - 'OPTIONS': { - 'sslmode':'verify-full', - 'sslrootcert':'system', - } - } +Django supports the same parameters as the Python driver you are using. For instance, with [psycopg2](https://pypi.org/project/psycopg2/), you can add the following options to your `settings.py` file in your database connection settings: +```python +'OPTIONS': { + 'sslmode':'verify-full', + 'sslrootcert':'system', + } +``` + + Your complete settings should look like the following: +```python +DATABASES = { +'default': { + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': {databasename}, + 'USER': {username}, #IAM principal ID of the user or application your are connecting with + 'PASSWORD': {password}, #IAM Secret Key of the user or application your are connecting with + 'HOST': {host}, #Host formated as {database-id}.pg.sdb.{region}.scw.cloud + 'PORT': {port}, #Default port for PostgreSQL is supported: 5432 + 'OPTIONS': { + 'sslmode':'verify-full', + 'sslrootcert':'system', } - ``` + } +} +``` ### Node.js/node-postgres -[node-postgres](https://node-postgres.com/) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either default connection string option `sslmode=require` or driver specific parameter `ssl:true` option checks for certificate validity. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to add `ssl:true` parameters: - ```js - const client = new Client({ - host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud - port: {port}, //Default port for PostgreSQL is supported: 5432 - database: {databasename}, - user: {username}, //IAM principal ID of the user or application your are connecting with - password: {username}, //IAM Secret Key of the user or application your are connecting with - ssl:true - }); - ``` +[node-postgres](https://node-postgres.com/) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. + +To ensure SSL/TLS is enforced and your server certificate is valid, add `ssl:true` to your connection parameters: +```js +const client = new Client({ + host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud + port: {port}, //Default port for PostgreSQL is supported: 5432 + database: {databasename}, + user: {username}, //IAM principal ID of the user or application your are connecting with + password: {username}, //IAM Secret Key of the user or application your are connecting with + ssl:true +}); +``` ### Node.js/Postgres.js -[Postgres.js](https://github.com/porsager/postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either default connection string option `sslmode=require` or driver specific parameter `ssl:true` option checks for certificate validity. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to add `ssl:true` parameters: - ```js - const sql = postgres({ - host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud - port: {port}, //Default port for PostgreSQL is supported: 5432 - database: {username}, - user: {username}, //IAM principal ID of the user or application your are connecting with - password: {username}, //IAM Secret Key of the user or application your are connecting with - ssl:true - }); - ``` +[Postgres.js](https://github.com/porsager/postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either default connection string option `sslmode=require` or driver specific parameter `ssl:true` option checks for certificate validity. + +To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to add `ssl:true` parameters: + +```js +const sql = postgres({ + host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud + port: {port}, //Default port for PostgreSQL is supported: 5432 + database: {username}, + user: {username}, //IAM principal ID of the user or application your are connecting with + password: {username}, //IAM Secret Key of the user or application your are connecting with + ssl:true +}); +``` ### Node.js/Prisma -Several drivers can be used with [Prisma](https://www.prisma.io/docs/orm/overview/databases/postgresql#configuring-an-ssl-connection), and you can refer to their documentation to enable SSL/TLS with them. By default Prisma uses its default built-in PostgreSQL driver which doesn't support `sslmode=verify-full` and `sslrootcert=system`, but can perform certificate validity check by using `sslmode=require` and `sslaccept=strict` specific parameters. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection string to add these parameters in your `.env` file: - ```sh - DATABASE_URL=postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require&sslaccept=strict - ``` +You can use several drivers with [Prisma](https://www.prisma.io/docs/orm/overview/databases/postgresql#configuring-an-ssl-connection), refer to their official documentation for more information on how to configure SSL/TLS. + +By default, Prisma uses its built-in PostgreSQL driver which doesn't support `sslmode=verify-full` and `sslrootcert=system`, but can perform certificate validity checks by using the `sslmode=require` and `sslaccept=strict` parameters. + +To ensure SSL/TLS is enforced and server certificate is valid, add these two parameters to your connection string in your `.env` file: + +```sh +DATABASE_URL=postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require&sslaccept=strict +``` ### Java/JDBC -JDBC driver doesn't support yet `sslrootcert=system` option, but supports `ssl=true` option which, when activated, by default performs certificate checks against the certificate named `root.crt` stored in `~/.postgresql`. To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to set `ssl=true`, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: - ```java - String url = "jdbc:postgresql://{host}:{port}/{databasename}"; - Properties props = new Properties(); - props.setProperty("user", {username}); - props.setProperty("password", {password}); - props.setProperty("ssl", "true"); - Connection conn = DriverManager.getConnection(url,props); - ``` - Alternatively, you can also add the property "sslrootcert=full/path/to/certificate/isrgrootx1.pem" to specify the full path to the certificate without renaming it `root.crt`: - ```java - String url = "jdbc:postgresql://{host}:{port}/{databasename}"; - Properties props = new Properties(); - props.setProperty("user", {username}); - props.setProperty("password", {password}); - props.setProperty("ssl", "true"); - props.setProperty("sslrootcert", "full/path/to/certificate/isrgrootx1.pem"); - Connection conn = DriverManager.getConnection(url,props); - ``` +JDBC driver does not support the `sslrootcert=system` option, but supports the `ssl=true` option which, when enabled, performs certificate checks by default against the certificate named `root.crt` stored in `~/.postgresql`. + +To ensure SSL/TLS is enforced and your server certificate is valid, edit your connection parameters to set `ssl=true`, download the [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), rename it `root.crt`, and store it in `~/.postgresql/root.crt`: + + ```java + String url = "jdbc:postgresql://{host}:{port}/{databasename}"; + Properties props = new Properties(); + props.setProperty("user", {username}); + props.setProperty("password", {password}); + props.setProperty("ssl", "true"); + Connection conn = DriverManager.getConnection(url,props); + ``` + +Alternatively, you can add the property `"sslrootcert=full/path/to/certificate/isrgrootx1.pem"` to specify the full path to the certificate without renaming it `root.crt`: + + ```java + String url = "jdbc:postgresql://{host}:{port}/{databasename}"; + Properties props = new Properties(); + props.setProperty("user", {username}); + props.setProperty("password", {password}); + props.setProperty("ssl", "true"); + props.setProperty("sslrootcert", "full/path/to/certificate/isrgrootx1.pem"); + Connection conn = DriverManager.getConnection(url,props); + ``` ## Examples for SQL Client tools ### psql -As the official client bundled with PostgreSQL, [psql](https://www.postgresql.org/docs/current/app-psql.html) supports the default PostgreSQL connections parameters. Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: - ```sh - psql "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system" - ``` +As the official client bundled with PostgreSQL, [psql](https://www.postgresql.org/docs/current/app-psql.html) supports the default PostgreSQL connections parameters. + +Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: + + ```sh + psql "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system" + ``` From c91f33edea55dd0f519ba60f6250f479a81640c8 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Thu, 6 Jun 2024 11:39:18 +0200 Subject: [PATCH 4/7] docs(sdb): update --- .../how-to/secure-connection-ssl-tls.mdx | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx index 5fdccf9bcf..c0064d3dd0 100644 --- a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx @@ -1,10 +1,10 @@ --- meta: title: Secure connections using SSL/TLS - description: This page explains how to to configure SSL/TLS to encrypt traffic between your client and Serverless SQL Databases + description: This page explains how to configure SSL/TLS to encrypt traffic between your client and Serverless SQL Databases content: h1: Secure connections using SSL/TLS - paragraph: This page explains how to to configure SSL/TLS to encrypt traffic between your client and Serverless SQL Databases + paragraph: This page explains how to configure SSL/TLS to encrypt traffic between your client and Serverless SQL Databases dates: validation: 2024-06-03 posted: 2024-06-03 @@ -22,7 +22,7 @@ Configuration examples for languages, frameworks and tools: ## Generic configuration settings -Starting from PostgreSQL 16, you can setup SSL/TLS to rely on the default certification authority certificates trusted by your operating system. To do so, use the additional configuration parameters `sslmode=verify-full` and `sslrootcert=system`. +Starting from PostgreSQL 16, you can set up SSL/TLS to rely on the default certification authority certificates trusted by your operating system. To do so, use the additional configuration parameters `sslmode=verify-full` and `sslrootcert=system`. For instance, your full connection string should be: ```sh @@ -34,7 +34,7 @@ Support for `sslmode=verify-full` and `sslrootcert=system` options can vary amon With this configuration, on your SQL client side, you will not need to download, update or renew certificates separately for PostgreSQL. -Keeping your operating system up to date is enough to ensure your traffic is encrypted, and your client send messages to the right server (protecting you against [Eavesdropping](https://en.wikipedia.org/wiki/Network_eavesdropping) and [Man In The Middle Attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)). +Keeping your operating system up to date is enough to ensure your traffic is encrypted, and that your client sends messages to the right server (protecting you against [Eavesdropping](https://en.wikipedia.org/wiki/Network_eavesdropping) and [Man In The Middle Attacks](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)). Alternatively, you can also download the trusted root Certificate used to sign our domain: [Let's Encrypt ISRG Root X1 (pem format)](https://letsencrypt.org/certs/isrgrootx1.pem), and use `sslmode=verify-full` and `sslrootcert=~/.postgresql/isrgx1root.pem`. @@ -52,7 +52,7 @@ Refer to the official [PostgreSQL documentation](https://www.postgresql.org/docs As [psycopg2](https://pypi.org/project/psycopg2/) uses [libpq](https://www.postgresql.org/docs/current/libpq.html), the same official PostgreSQL parameter can be used. -Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` as shown below: +Edit your connection parameters to add `sslmode=verify-full` and `sslrootcert=system` as shown below: ```python conn = psycopg2.connect(host={host},port={port},database={port},user={username},password={password},sslmode="verify-full",sslrootcert="system") ``` @@ -103,17 +103,17 @@ const client = new Client({ ### Node.js/Postgres.js -[Postgres.js](https://github.com/porsager/postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either default connection string option `sslmode=require` or driver specific parameter `ssl:true` option checks for certificate validity. +[Postgres.js](https://github.com/porsager/postgres) doesn't support `sslmode=verify-full` and `sslrootcert=system`, but either the default connection string option `sslmode=require` or the driver-specific parameter `ssl:true` option checks for certificate validity. -To ensure SSL/TLS is enforced and server certificate is valid, edit your connection parameters to add `ssl:true` parameters: +To ensure SSL/TLS is enforced and the server certificate is valid, edit your connection parameters to add `ssl:true` parameters: ```js const sql = postgres({ host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud port: {port}, //Default port for PostgreSQL is supported: 5432 database: {username}, - user: {username}, //IAM principal ID of the user or application your are connecting with - password: {username}, //IAM Secret Key of the user or application your are connecting with + user: {username}, //IAM principal ID of the user or application you are connecting with + password: {username}, //IAM Secret Key of the user or application you are connecting with ssl:true }); ``` @@ -124,7 +124,7 @@ You can use several drivers with [Prisma](https://www.prisma.io/docs/orm/overvie By default, Prisma uses its built-in PostgreSQL driver which doesn't support `sslmode=verify-full` and `sslrootcert=system`, but can perform certificate validity checks by using the `sslmode=require` and `sslaccept=strict` parameters. -To ensure SSL/TLS is enforced and server certificate is valid, add these two parameters to your connection string in your `.env` file: +To ensure SSL/TLS is enforced and the server certificate is valid, add these two parameters to your connection string in your `.env` file: ```sh DATABASE_URL=postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=require&sslaccept=strict @@ -163,7 +163,7 @@ Alternatively, you can add the property `"sslrootcert=full/path/to/certificate/i As the official client bundled with PostgreSQL, [psql](https://www.postgresql.org/docs/current/app-psql.html) supports the default PostgreSQL connections parameters. -Edit your connecton parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: +Edit your connection parameters to add `sslmode=verify-full` and `sslrootcert=system` parameters: ```sh psql "postgresql://{username}:{password}@{host}:{port}/{databasename}?sslmode=verify-full&sslrootcert=system" From 48d4411d1a48e63bf1d8c98e7c6be20a5383e8be Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Thu, 6 Jun 2024 11:45:42 +0200 Subject: [PATCH 5/7] docs(sdb): update --- .../{how-to => api-cli}/secure-connection-ssl-tls.mdx | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename serverless/sql-databases/{how-to => api-cli}/secure-connection-ssl-tls.mdx (100%) diff --git a/serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx similarity index 100% rename from serverless/sql-databases/how-to/secure-connection-ssl-tls.mdx rename to serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx From 5060e74401287c40dcc471ea33c4adba67211985 Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Thu, 6 Jun 2024 11:50:21 +0200 Subject: [PATCH 6/7] Update serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index c0064d3dd0..16f4f96123 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -95,7 +95,7 @@ const client = new Client({ host: {host}, //Host formated as {database-id}.pg.sdb.{region}.scw.cloud port: {port}, //Default port for PostgreSQL is supported: 5432 database: {databasename}, - user: {username}, //IAM principal ID of the user or application your are connecting with + user: {username}, //IAM principal ID of the user or application you are connecting with password: {username}, //IAM Secret Key of the user or application your are connecting with ssl:true }); From 721e14169c6a289ac363cf70fec0c2ad0b11236b Mon Sep 17 00:00:00 2001 From: SamyOubouaziz Date: Thu, 6 Jun 2024 11:50:27 +0200 Subject: [PATCH 7/7] Update serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx Co-authored-by: ldecarvalho-doc <82805470+ldecarvalho-doc@users.noreply.github.com> --- serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx index 16f4f96123..9accca8c86 100644 --- a/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx +++ b/serverless/sql-databases/api-cli/secure-connection-ssl-tls.mdx @@ -96,7 +96,7 @@ const client = new Client({ port: {port}, //Default port for PostgreSQL is supported: 5432 database: {databasename}, user: {username}, //IAM principal ID of the user or application you are connecting with - password: {username}, //IAM Secret Key of the user or application your are connecting with + password: {username}, //IAM Secret Key of the user or application you are connecting with ssl:true }); ```