Skip to content

Add basic MySQL TLS support #4794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Add basic MySQL TLS support #4794

wants to merge 4 commits into from
+25 −4

Conversation

Johno-ACSLive
Copy link

Summary

This PR adds minimal, opt‑in TLS support for MySQL connections in Nginx Proxy Manager. It introduces three environment variables:

Variable Default Purpose
DB_MYSQL_SSL false Enable SSL when set to true.
DB_MYSQL_SSL_REJECT_UNAUTHORIZED true Controls certificate chain validation.
DB_MYSQL_SSL_VERIFY_IDENTITY true Enables hostname verification.

No behavior changes for existing users unless DB_MYSQL_SSL is explicitly enabled. Does not impact other DB engine configuration.

Motivation

Environments such as:

  • Azure Database for MySQL (secure transport enforced)
  • Self-hosted MySQL with require_secure_transport=ON
  • Security baselines requiring encrypted DB connections

…currently cause startup failure (ER_SECURE_TRANSPORT_REQUIRED) because connection attempts are plaintext. This update allows secure connections while remaining completely backward compatible.

Backward Compatibility

Scenario Before After
No TLS vars set Plain MySQL Same
Server requires TLS; no vars set Startup error Same (user must enable SSL)
TLS enabled (DB_MYSQL_SSL=true) N/A Encrypted session
Self-signed cert (user sets DB_MYSQL_SSL_REJECT_UNAUTHORIZED=false) N/A Connects (user-accepted risk)
Hostname mismatch & DB_MYSQL_SSL_VERIFY_IDENTITY=true N/A Fails (correct security posture)

Out of Scope / Future Work

  • Optional CA / client certificate path variables
  • Min/Max Cipher and associated checks
  • Postgres TLS parity (could mirror same pattern)

@nginxproxymanagerci
Copy link

CI Error:

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
certbot-node: Pulling from nginxproxymanager/nginx-full
Digest: sha256:673f9b213c376058b694c70ef80666098f215cf573cb557c32afd4124f0cbd1b
Status: Image is up to date for nginxproxymanager/nginx-full:certbot-node
docker.io/nginxproxymanager/nginx-full:certbot-node
�[1;34m❯ �[1;36mBuilding Frontend ...�[0m
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
error Error: https://registry.yarnpkg.com/source-map/-/source-map-0.6.1.tgz: Request failed "500 Internal Server Error"
    at ResponseError.ExtendableBuiltin (/usr/lib/node_modules/yarn/lib/cli.js:696:66)
    at new ResponseError (/usr/lib/node_modules/yarn/lib/cli.js:802:124)
    at Request.<anonymous> (/usr/lib/node_modules/yarn/lib/cli.js:66750:16)
    at Request.emit (node:events:519:28)
    at module.exports.Request.onRequestResponse (/usr/lib/node_modules/yarn/lib/cli.js:142287:10)
    at ClientRequest.emit (node:events:519:28)
    at HTTPParser.parserOnIncomingClient (node:_http_client:716:27)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:121:17)
    at TLSSocket.socketOnData (node:_http_client:558:22)
    at TLSSocket.emit (node:events:519:28)
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

@Johno-ACSLive Johno-ACSLive marked this pull request as draft October 11, 2025 01:56
@Johno-ACSLive Johno-ACSLive marked this pull request as ready for review October 11, 2025 01:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Johno-ACSLive