diff --git a/README.md b/README.md index b5331a8..a48b4a8 100644 --- a/README.md +++ b/README.md @@ -157,3 +157,12 @@ The `import` command should be used with any non-plain-text files exported by `p ```shell $ dokku postgres:connect db < ./dump.sql ``` + +## security + +The connection to the database is done over SSL. A self-signed certificate is +automatically generated when creating the service. It can be replaced by a +custom certificate by overwriting the `server.crt` and `server.key` files in +`/var/lib/dokku/services/postgres//data`. +The `server.key` must be chmoded to 600 and must be owned by the postgres user +or root. diff --git a/commands b/commands index 6fec585..02ac3c2 100755 --- a/commands +++ b/commands @@ -48,6 +48,11 @@ case "$1" in DATABASE_NAME="$(get_database_name "$SERVICE")" docker exec "$SERVICE_NAME" su - postgres -c "createdb -E utf8 $DATABASE_NAME" 2> /dev/null || echo 'Already exists' + dokku_log_verbose_quiet "Securing connection to database" + service_stop "$SERVICE" > /dev/null + docker run --rm -i -v "$SERVICE_ROOT/data:/var/lib/postgresql/data" "$PLUGIN_IMAGE:$PLUGIN_IMAGE_VERSION" bash -s < "$(dirname "$0")/scripts/enable_ssl.sh" &> /dev/null + service_start "$SERVICE" > /dev/null + dokku_log_info2 "$PLUGIN_SERVICE container created: $SERVICE" dokku "$PLUGIN_COMMAND_PREFIX:info" "$SERVICE" ;; diff --git a/scripts/enable_ssl.sh b/scripts/enable_ssl.sh new file mode 100755 index 0000000..2fb9cfd --- /dev/null +++ b/scripts/enable_ssl.sh @@ -0,0 +1,6 @@ +#!/bin/bash +cd /var/lib/postgresql/data +openssl req -new -newkey rsa:4096 -x509 -nodes -out server.crt -keyout server.key -batch +chmod 600 server.key +sed -i "s/^#ssl = off/ssl = on/" postgresql.conf +sed -i "s/^#ssl_ciphers =.*/ssl_ciphers = 'AES256+EECDH:AES256+EDH'/" postgresql.conf diff --git a/tests/setup.sh b/tests/setup.sh index 5bd208d..f623c52 100644 --- a/tests/setup.sh +++ b/tests/setup.sh @@ -15,6 +15,7 @@ cd - rm -rf $DOKKU_ROOT/plugins/service mkdir -p $DOKKU_ROOT/plugins/service find ./ -maxdepth 1 -type f -exec cp '{}' $DOKKU_ROOT/plugins/service \; +cp -r ./scripts "$DOKKU_ROOT/plugins/service" if [[ ! -f $BIN_STUBS/plugn ]]; then wget -O- "$PLUGN_URL" | tar xzf - -C "$BIN_STUBS"