mirror
/
docker-postgis
kopia lustrzana https://github.com/kartoza/docker-postgis
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Merge pull request #303 from NyakudyaA/ssl 

Force clients to connect with SSL
pull/306/head
mazano 2021-05-10 15:12:06 +02:00 zatwierdzone przez GitHub
rodzic 0beb1ece8f ae656a2f72
commit 1a3ff226e5
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 4AEE18F83AFDEB23
4 zmienionych plików z 31 dodań i 10 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

10
README.md
Wyświetl plik

@ -400,6 +400,8 @@ See [the postgres documentation about SSL](https://www.postgresql.org/docs/11/li
See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information. See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information.
To force SSL connection between clients you need to use the environment
variable `FORCE_SSL=TRUE`
## Postgres Replication Setup ## Postgres Replication Setup
@ -559,6 +561,14 @@ docker run --name "logical-replication" -e WAL_LEVEL=logical -d kartoza/postgis
``` ```
For a detailed example see the docker-compose in the folder `sample/logical_replication`. For a detailed example see the docker-compose in the folder `sample/logical_replication`.
### Docker image versions
All instructions mentioned in the README are valid for the latest running image.
Other docker images might have a few missing features than the ones in the
latest image. We mainly do not back port changes to current stable images that are being
used in production. However, if you feel that some changes included
in the latest tagged version of the image are essential for the previous image
you can cherry pick the changes against that specific branch and we will
test and merge.
### Support ### Support

4
scripts/env-data.sh
Wyświetl plik

@ -266,6 +266,10 @@ if [ -z "${ALL_DATABASES}" ]; then
ALL_DATABASES=FALSE ALL_DATABASES=FALSE
fi fi
if [ -z "${FORCE_SSL}" ]; then
FORCE_SSL=FALSE
fi
# Compatibility with official postgres variable # Compatibility with official postgres variable
# Official postgres variable gets priority # Official postgres variable gets priority
if [ -n "${POSTGRES_PASSWORD}" ]; then if [ -n "${POSTGRES_PASSWORD}" ]; then

21
scripts/setup-pg_hba.sh
Wyświetl plik

@ -12,24 +12,35 @@ fi
# Reconfigure pg_hba if environment settings changed # Reconfigure pg_hba if environment settings changed
cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
if [[ "$FORCE_SSL" =~ [Tt][Rr][Uu][Ee] ]]; then
PG_CONF_HOST='hostssl'
CERT_AUTH='cert'
else
PG_CONF_HOST='host'
CERT_AUTH=${PASSWORD_AUTHENTICATION}
fi
# Restrict subnet to docker private network # Restrict subnet to docker private network
echo "host all all 172.0.0.0/8 ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf echo "$PG_CONF_HOST all all 172.0.0.0/8 ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
# And allow access from DockerToolbox / Boot to docker on OSX # And allow access from DockerToolbox / Boot to docker on OSX
echo "host all all 192.168.0.0/16 ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf echo "$PG_CONF_HOST all all 192.168.0.0/16 ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
# Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables) # Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables)
# Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16' # Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16'
if [[ -n "$ALLOW_IP_RANGE" ]] if [[ -n "$ALLOW_IP_RANGE" ]]
then then
echo "Add rule to pg_hba: $ALLOW_IP_RANGE" echo "Add rule to pg_hba: $ALLOW_IP_RANGE"
echo "host all all $ALLOW_IP_RANGE ${PASSWORD_AUTHENTICATION}" >> ${ROOT_CONF}/pg_hba.conf echo "$PG_CONF_HOST all all $ALLOW_IP_RANGE ${CERT_AUTH}" >> ${ROOT_CONF}/pg_hba.conf
fi fi
# check password first so we can output the warning before postgres # check password first so we can output the warning before postgres
# messes it up # messes it up
if [[ "$POSTGRES_PASS" ]]; then if [[ "$POSTGRES_PASS" ]]; then
pass="PASSWORD '$POSTGRES_PASS'" pass="PASSWORD '$POSTGRES_PASS'"
authMethod=${PASSWORD_AUTHENTICATION} authMethod=${CERT_AUTH}
else else
# The - option suppresses leading tabs but *not* spaces. :) # The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOWARN' cat >&2 <<-'EOWARN'
@ -54,7 +65,7 @@ if [[ -z "$REPLICATE_FROM" ]]; then
# if env not set, then assume this is master instance # if env not set, then assume this is master instance
# add rules to pg_hba.conf to allow replication from all # add rules to pg_hba.conf to allow replication from all
echo "Add rule to pg_hba: replication ${REPLICATION_USER} " echo "Add rule to pg_hba: replication ${REPLICATION_USER} "
echo "host replication ${REPLICATION_USER} ${ALLOW_IP_RANGE} $authMethod" >> ${ROOT_CONF}/pg_hba.conf echo "$PG_CONF_HOST replication ${REPLICATION_USER} ${ALLOW_IP_RANGE} $authMethod" >> ${ROOT_CONF}/pg_hba.conf
fi fi
# Put lock file to make sure conf was not reinitialized # Put lock file to make sure conf was not reinitialized

6
scripts/setup-ssl.sh
Wyświetl plik

@ -22,11 +22,7 @@ mkdir -p ${PGSTAT_TMP}
chmod 0777 ${PGSTAT_TMP} chmod 0777 ${PGSTAT_TMP}
# moved from setup.sh # moved from setup.sh
if [[ -f ${ROOT_CONF}/ssl.conf ]];then cat > ${ROOT_CONF}/ssl.conf <<EOF
rm $CONF/ssl.conf
fi
cat >> ${ROOT_CONF}/ssl.conf <<EOF
ssl = true ssl = true
ssl_cert_file = '${SSL_CERT_FILE}' ssl_cert_file = '${SSL_CERT_FILE}'
ssl_key_file = '${SSL_KEY_FILE}' ssl_key_file = '${SSL_KEY_FILE}'