fastify-postgres icon indicating copy to clipboard operation
fastify-postgres copied to clipboard

Published 20 hours ago verified publisher icon fastify

There is no documentation for how to work with SSL

Open imf opened this issue 3 years ago • 4 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.0.2

Plugin version

5.0.0

Node.js version

16.15.0

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

12.4

Description

I was looking for how to disable rejectUnauthorized (or how to work with SSL in general) and found nothing in the documentation.

Enabling SSL by passing ssl=true as a query parameter worked, but only got me to the database rejecting a self-signed cert.

Further, I imagined that passing the standard structure for parameters into the config hash might work... I got as far as this (somewhat janky) config... which unfortunately didn't work.

fastify.register(require('@fastify/postgres'), {
  connectionString: process.env.DATABASE_URL + '?ssl=true',
  ssl: {
    rejectUnauthorized: false
  }
})

The specific use case is 'connect to a Heroku-hosted DB from a Heroku-hosted Fastify app' which is likely a common use case. Since the latest Postgres library defaults to rejectUnauthorized being 'true' I'm guessing this is what 'broke' things. (Though of course this behavior is more correct.)

Steps to Reproduce

Try to configure SSL.

Expected Behavior

I'd find some documentation for how to configure SSL.

imf avatar Jun 14 '22 22:06 imf

We pass the option directly to pg. I think if there are some problem with the option. It would be upstream problem. https://github.com/fastify/fastify-postgres/blob/master/index.js#L90

climba03003 avatar Jun 15 '22 05:06 climba03003

Adding documentation for how this should be configured in fastify sounds like it would be pretty simple in that case, no? (They're not going to document how you should configure Fastify to use SSL.)

imf avatar Jul 12 '22 21:07 imf

From what I means in previous comment, if you believe the option that is not works is a bug. Then, it should be a upstream issue.

Adding documentation for how this should be configured in fastify sounds like it would be pretty simple in that case, no?

I would not block any PR for the document update. Here is the information about SSL from node-postgres

If you plan to use a combination of a database connection string from the environment and SSL settings in the config object directly, then you must avoid including any of sslcert, sslkey, sslrootcert, or sslmode in the connection string. If any of these options are used then the ssl object is replaced and any additional options provided there will be lost.

The above statement is not totally true, ssl in connection string also replace the ssl option. Which means when you using both connection string and option. connection string always take precedent.

climba03003 avatar Jul 13 '22 01:07 climba03003

postgres://username:password@host:port/databasename?sslmode=verify-full&sslrootcert=yourrootcert&sslcert=yourclientcertificate&sslkey=yourclientkey

just working fine.

tweenietomatoes avatar Jul 15 '22 13:07 tweenietomatoes