Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature]: TLS encrypted database connections #902

Closed
jcollie opened this issue Oct 30, 2022 · 6 comments · Fixed by #1256
Closed

[Feature]: TLS encrypted database connections #902

jcollie opened this issue Oct 30, 2022 · 6 comments · Fixed by #1256
Labels
good first issue Good for newcomers

Comments

@jcollie
Copy link

jcollie commented Oct 30, 2022

Feature detail

The current server code does not allow encrypted database connections to be configured. Managed PostgreSQL databases like Digital Ocean's require TLS encryption to connect.

Oct 30 15:46:19 cloud01 immich-server[56575]: [Nest] 2  - 10/30/2022, 8:46:19 PM   ERROR [TypeOrmModule] Unable to connect to the database. Retrying (3)...
Oct 30 15:46:19 cloud01 immich-server[56575]: error: no pg_hba.conf entry for host "X.X.X.X", user "immich", database "immich", no encryption
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Parser.parseErrorMessage (/usr/src/app/node_modules/pg-protocol/dist/parser.js:287:98)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Parser.handlePacket (/usr/src/app/node_modules/pg-protocol/dist/parser.js:126:29)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Parser.parse (/usr/src/app/node_modules/pg-protocol/dist/parser.js:39:38)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Socket.<anonymous> (/usr/src/app/node_modules/pg-protocol/dist/index.js:11:42)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Socket.emit (node:events:527:28)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at addChunk (node:internal/streams/readable:315:12)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at readableAddChunk (node:internal/streams/readable:289:9)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Socket.Readable.push (node:internal/streams/readable:228:10)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at TCP.onStreamRead (node:internal/stream_base_commons:190:23)

Platform

Server

@bo0tzz bo0tzz self-assigned this Oct 31, 2022
@bo0tzz
Copy link
Member

bo0tzz commented Oct 31, 2022

Creating an environment variable to set the postgres URL parameter should allow setting this (and more) without specific support on our part. The details of the connection URL format can be seen here. In TypeORM, the options we're currently using (host, username, etc) will override what is set in the URL. We need to test whether leaving those options blank is sufficient.

@jrasm91
Copy link
Contributor

jrasm91 commented Nov 1, 2022

Although, we might also need a way to provide the CA certificate (see here).

@bo0tzz
Copy link
Member

bo0tzz commented Nov 2, 2022

Based on the link I included above, I believe the URL parser should take paths for the TLS parameters and read those to the appropriate values for us.

@bo0tzz bo0tzz added the good first issue Good for newcomers label Nov 2, 2022
@jrasm91
Copy link
Contributor

jrasm91 commented Nov 2, 2022

Based on the link I included above, I believe the URL parser should take paths for the TLS parameters and read those to the appropriate values for us.

Oh, you're right. I didn't see/know the path was being included in the url, but that would definitely work.

@bo0tzz bo0tzz removed their assignment Nov 11, 2022
@bt90
Copy link
Contributor

bt90 commented Dec 30, 2022

It should be enough to pass sslmode=prefer in the connection URL.

@bt90
Copy link
Contributor

bt90 commented Dec 30, 2022

brianc/node-postgres#2009

This should be enough to allow SSL connections without requiring a CA certificate:

  ssl: {
    require: true,
    rejectUnauthorized: false
  }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants