nocodb icon indicating copy to clipboard operation
nocodb copied to clipboard

Published 20 hours ago • verified publisher icon nocodb

🔦 Feature: Allow to use SSL parameters in NC_DB (MySQL / PostgreSQL)

Open yoni-yad2 opened this issue 1 year ago • 5 comments

Please confirm if feature request does NOT exist already ?

  • [X] I confirm there is no existing issue for this

Describe the usecase for the feature

nocodb is lacking the option to use an encrypted SSL/TLS connection to the metadata DB.

Interestingly enough, SSL/TLS can be used for data sources.

Suggested Solution

Allow adding standard SSL/TLS parameters to the NC_DB connection string such as: usessl=true/false sslmode=allow/require/verify-ca/verify verifyServerCertificate=true/false

Additional Context

No response

yoni-yad2 avatar May 23 '24 07:05 yoni-yad2

+1 tested on postgres://*?sslmode=require not working

gudge25 avatar Jun 03 '24 20:06 gudge25

Is there an alternative configuration that works or it's currently not supported at all ?

I've tried many configuration based on #https://github.com/nocodb/nocodb/issues/1798

However always get the following error :

nocodb-1 | [Nest] 8 - 12/14/2024, 12:01:54 AM ERROR [ExceptionHandler] TypeError: Cannot read properties of undefined (reading 'bold')

xdubois avatar Dec 14 '24 00:12 xdubois

Noco's database TLS handling just cost me half a day of my life, and I'm pretty annoyed as a result.

As a deployer, I can either set NC_DB - a proprietary format which doesn't allow sane TLS configuration at all. It's 2025. Seriously? No decent way to configure TLS for your database connection?

Or I can set DATABASE_URL which (unlike every other piece of nodejs-based software out there) parses the URL as a JDBC URL (?!?! NB the "J" in "JDBC" stands for JAVA - it's not even the right programming language), breaking it in the process, puts it back together just as badly, and then passes it to knex?! Seriously?!!??

How am I supposed to set all the random SSL Postgres connection settings that is need to connect to AWS RDS (sadly the most widely deployed database hosting service on the planet?)? I can't set them as env vars, since I can't enable SSL without specifying ssl=true in the URL (which unlike all documentation for Postgres, the Node pg package, and knex says is not needed), but if I do, you create a connection options object that overrides all of the env vars.

Keep your weird, insecure NC_DB format if you like, but please for the love of god just pass any value set via DATABASE_URL directly though to knex. Please. PLEASE.

michael-gratton avatar Jan 27 '25 02:01 michael-gratton

NB this should be a bug report, not a feature request.

michael-gratton avatar Jan 27 '25 02:01 michael-gratton

Strongly agree with @michael-gratton

Sadly the only workaround I found is to use the NC_DB_JSON_FILE configuration option - which is not CI/CD friendly at all

Here's a working docker compose config snippet for those facing the same issue

services: 
  nocodb: 
    image: "nocodb/nocodb:latest"
    ports: 
      - "8080:8080"
    environment:
      NC_DB_JSON_FILE: "/usr/app/conf/db.json"
    env_file: .env
    volumes: 
      - "./conf:/usr/app/conf"

db.json

{
    "client": "pg",
    "connection": {
        "host": "host-db",
        "port": "",
        "user": "",
        "password": "",
        "database": "",
        "ssl": {
          "require": true,
          "rejectUnauthorized": false,
          "sslMode": "require",
          "ca": "-----BEGIN CERTIFICATE-----\ncert\n-----END CERTIFICATE-----\n",
          "cert": "",
          "key": ""
        }
    }
}

xdubois avatar Jan 27 '25 12:01 xdubois