SSL connection may be required by database providers, or you may want to allow only secure connections for your self-hosted PostgreSQL.
Let’s see how to configure the client connection.
You will find PostgreSQL SSL environment variables POSTGRES_SSL_*
into the environment file .env
.
If you want to make SSL required, set POSTGRES_SSL
at 'true'.
If certificate, private key or certificate authority must be provided to establish the database connection, please fill respectively POSTGRES_SSL_CERT
, POSTGRES_SSL_KEY
and/or POSTGRES_SSL_CA
.
It's recommended to set one-line value, so replace any newlines by newline character (\n
in Unix).
In case you want to self-host PostgreSQL with SSL, here's a small walkthrough.
- Certificates creation
You can get your certificates from a SSL provider (recommended), or you can create your self-signed certificates.
In the latter case, please follow the official instructions (section Creating Certificates).
- Server SSL configuration
To make PostgreSQL aware of the certificates, you need to update postgresql.conf
to point the certificates location (usually located at ${PGDATA}/postgresql.conf
) and activate SSL.
ssl = on
# Fill only files you have
ssl_ca_file = /absolute/path/to/ca-file
ssl_cert_file = /absolute/path/to/cert-file
ssl_key_file = /absolute/path/to/key-file
SSL is configured but PostgreSQL will continue accepting non-SSL connections. You can reject them by updating pg_hba.conf
(usually located at ${PGDATA}/postgresql.conf
).
Replace existing type 'host' with 'hostssl' and their method 'trust' with 'cert'.
Please note the type 'local' cannot be associated with the method 'cert' (non-SSL local connections can still be accepted).
Now you need to restart your PostgreSQL server and you're all set!