You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PgDog can reject connections from clients that choose not to use TLS encryption:
41
+
42
+
=== "pgdog.toml"
43
+
```toml
44
+
[general]
45
+
tls_client_required = true
46
+
```
47
+
=== "Helm chart"
48
+
```
49
+
tlsClientRequired: true
50
+
```
51
+
52
+
This is helpful to enforce a security protocol but, in some rare scenarios, could limit which clients are allowed to connect. Most Postgres client drivers ship with TLS support bundled in so, in practice, enabling this feature is not going to be a problem.
53
+
54
+
#### Self-signed certificate
55
+
56
+
If you're deploying PgDog using our [Helm chart](../installation.md#kubernetes), you can configure it to generate a self-signed TLS certificate at deploy time:
57
+
58
+
=== "Helm chart"
59
+
```yaml
60
+
tlsGenerateSelfSignedCert: true
61
+
```
62
+
63
+
This is useful for quickly deploying TLS in development or staging. For production deployments, you may want to load your own certificate that your clients can validate instead.
64
+
38
65
### Connection modes
39
66
40
67
PostgreSQL supports 4 modes for establishing encrypted connections, documented below:
@@ -83,6 +110,64 @@ If you use `verify_ca` or `verify_full` and your certificate is not signed by a
PgDog is commonly deployed in front of AWS RDS or Aurora. To make it easier to setup secure TLS, we are bundling the [RDS certificate bundle](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesDownload) into the Helm chart and making it available to PgDog at runtime:
116
+
117
+
=== "Helm chart"
118
+
```yaml
119
+
rdsCertificateBundle:
120
+
enabled: true
121
+
```
122
+
=== "AWS GovCloud"
123
+
If deploying into the AWS GovCloud (US), you can change the bundle accordingly:
124
+
125
+
```yaml
126
+
rdsCertificateBundle:
127
+
type: govcloud
128
+
```
129
+
130
+
131
+
Once the bundle is loaded, you can switch to `verify_ca` (or `verify_full`) for server connections which will ensure that connections from PgDog to RDS are always encrypted _and_ authenticated:
132
+
133
+
=== "pgdog.toml"
134
+
```toml
135
+
[general]
136
+
tls_verify = "verify_full"
137
+
```
138
+
=== "Helm chart"
139
+
```yaml
140
+
tlsVerify: verify_full
141
+
```
142
+
143
+
144
+
## Mutual TLS
145
+
146
+
!!! note "New"
147
+
This is a new feature. Please report any issues you may run into.
148
+
149
+
Mutual TLS (also known as **mTLS**) allows PgDog to authenticate connections received from the client using a mutually agreed upon certificate. If the client doesn't provide the right certificate (or doesn't have one), PgDog will reject the connection. This can be enabled by setting the client CA certificate in [`pgdog.toml`](../configuration/pgdog.toml/general.md):
The certificate provided by the client doesn't have to be self-signed. In fact, any certificate signed by any of the certs in the chain loaded via `tls_client_ca_certificate` is an acceptable anchor. This allows an internal CA (Certificate Authority) to issue unique certificates to each application, while also making them short-lived (e.g., 30 days expiration) to satisfy security or compliance requirements.
162
+
163
+
## TLS in practice
164
+
165
+
PgDog terminates TLS from clients and opens a separate connection to Postgres. Traffic can be encrypted on both network hops, but it is not end-to-end encryption in the cryptographic sense: PgDog decrypts client traffic so it can read PostgreSQL protocol messages, route queries, and manage connections.
166
+
167
+
For the client side, configure applications to use TLS when connecting to PgDog. Use `sslmode=verify-full` when clients should can PgDog's certificate and hostname. If you want PgDog to authenticate clients during the TLS handshake, set [`tls_client_ca_certificate`](#mutual-tls).
168
+
169
+
For the server side, set `tls_verify` setting to `"verify_full"` so PgDog can validate the Postgres server certificate and hostname on each connection. It does not currently present a client TLS certificate to Postgres, so mutual TLS between PgDog and PostgreSQL is not currently supported.
170
+
86
171
## Performance
87
172
88
173
Encryption has some performance impact on latency and CPU utilization. While most TLS encryption algorithms are now implemented in hardware and are quite quick, you will still notice some impact on your query turnaround times when using TLS.
0 commit comments