dataguide icon indicating copy to clipboard operation
dataguide copied to clipboard

Published 20 hours ago verified publisher icon prisma

Content focused on TLS/SSL and transport encryption

Open imchairmanm opened this issue 3 years ago • 3 comments

As per a discussion in Slack, it would be helpful for us to get some more content up focusing on securing connections. We would probably want to tackle this in a few different ways. This issue is going to be a bit of a brain dump to try to plan out the best approach to getting started.

To start off with, it's important to get implementation-specific guides up on setting up SSL for various databases. I'd suggest prioritizing PostgreSQL, followed by MySQL and MongoDB.

These topics have a tendency to get a bit muddled due some decisions you have to make in how to approach the topics. For example:

  • How much you want to involve certificate acquisition in the procedure? Do you assume the user has the SSL assets already or do we cover instances where users generate their own internal CA for their infrastructure, rely on a project like Let's Encrypt, or purchase certificates issued by a commercial public CA?
  • Are we using the SSL assets for encryption and server identity validation only? Are we trying to also implement certificate based client authentication as well? These are topics we should leave open for later expansion but may not necessarily be in scope for the initial push.
  • Currently most of the implementation-specific documentation is focused around interactions between a single server and a client. Scaling the server side out horizontally or setting up replication means additional surface area that needs SSL protection. These sometimes have entirely different parameters, etc. for securing these connections. Do we cover them initially (without the background articles on actually setting up these scaled out infrastructures)?

We should think through some of these things before getting started. I personally prefer to get the most basic guides up quicker by prioritizing simple setups with reasonable assumptions, narrowly defined goals, etc. We also might need database-agnostic companion content to cover the general strategies and considerations you need to make when setting all of this up. An advantage of this is that we could use these "generic" articles to compile links to articles covering specific implementation details as we write them.

imchairmanm avatar Aug 19 '21 12:08 imchairmanm

Related links dump: https://www.postgresql.org/docs/9.1/libpq-ssl.html https://cloud.google.com/sql/docs/mysql/configure-ssl-instance https://dev.mysql.com/doc/refman/8.0/en/using-encrypted-connections.html

https://www.prisma.io/docs/concepts/database-connectors/mysql#configuring-an-ssl-connection https://www.prisma.io/docs/concepts/database-connectors/postgresql#configuring-an-ssl-connection https://github.com/prisma/e2e-tests/tree/dev/databases/gcp-mysql-ssl

janpio avatar Aug 19 '21 19:08 janpio

https://devcenter.heroku.com/articles/connecting-to-heroku-postgres-databases-from-outside-of-heroku#ssl https://devcenter.heroku.com/changelog-items/2035 https://www.jetbrains.com/help/datagrip/how-to-connect-to-heroku-postgres.html https://devcenter.heroku.com/articles/heroku-postgresql#heroku-postgres-ssl

janpio avatar Aug 20 '21 18:08 janpio

Nice examples of different connection string params around SSL/TLS: https://docs.preset.io/docs/supported-databases

janpio avatar Aug 20 '21 19:08 janpio