iasql
iasql copied to clipboard
alantech
Postgres SSL
From @aguillenv
Postgres SSL. First research shows that apparently is not possible to have our own certs and users would need to donwload aws cert. Another options is to handle our own postgres server. Will keep looking
From https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.Concepts.General.SSL.html
Amazon RDS creates an SSL certificate for your PostgreSQL DB instance when the instance is created. If you enable SSL certificate verification, then the SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks.
Since RDS generates an specific certificate using the DB instance endpoint generated during db creation as the CN for the certificate and do not provide a way to modify this, we have 2 options:
-
Use RDS to handle the database providing Db instance endpoint to connect to the databases. The extra work just will be test that we can enforce users to always connect using SSL modifying database's parameter group. (https://www.sqlshack.com/enforce-ssl-connections-in-aws-rds-sql-server/)
-
Manage our own Postgres, meaning handling at least with snapshots logic by our own but being able to provide to users our DNS to connect to the databases. This also will mean configure postgres to handle SSL connections with our self signed certificate.
Will note that option 1 requires us to expose the RDS URL to end users, instead of using our own domain name for this.
For now we will be forcing SSL connections through RDS instance. Moving this task as a launch blocker. We will need to create our own DB instance and confirm the custom SSL cert since RDS does not let you use custom SSL certs.
not as relevant anymore now that usage focus is running locally so closing out for now