From 5f28fe0adc7f25c947e3a3002dfd6490934957a2 Mon Sep 17 00:00:00 2001 From: Matthias Kuhn Date: Thu, 13 Jun 2019 17:39:40 +0200 Subject: [PATCH] Allow configuring SSL (#129) * Allow proiding custom ssl certificate and key * Allow specifying custom ca file * Update README.md * Update README.md * Update README.md --- README.md | 39 +++++++++++++++++++++++++++++++++++++++ env-data.sh | 8 ++++++++ setup-ssl.sh | 8 +++++--- 3 files changed, 52 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5d94085..70d1ce7 100644 --- a/README.md +++ b/README.md @@ -94,6 +94,9 @@ user name, password and/or default database name(or multiple databases comma sep * -e POSTGRES_PASS= * -e POSTGRES_DBNAME= * -e POSTGRES_MULTIPLE_EXTENSIONS=postgis,hstore,postgis_topology # You can pass as many extensions as you need. +* -e SSL_CERT_FILE=/your/own/ssl_cert_file.pem +* -e SSL_KEY_FILE=/your/own/ssl_key_file.key +* -e SSL_CA_FILE=/your/own/ssl_ca_file.pem These will be used to create a new superuser with your preferred credentials. If these are not specified then the postgresql @@ -303,6 +306,42 @@ However, you should note that this option doesn't mean anything if you didn't persist your database volume. Because if it is not persisted, then it will be lost on restart because docker will recreate the container. +## Postgres SSL setup + +By default the image is delivered with an unsigned SSL certificate. This helps to have an +encrypted connection to clients and avoid eavesdropping but does not help to mitigate +man in the middle (MITM) attacks. + +You need to provide your own, signed private key to avoid this kind of attacks (and make +sure clients connect with verify-ca or verify-full sslmode). + +The following is an example Dockerfile that sets up a container with custom ssl private key and certificate: + +``` +FROM kartoza/postgis:11.0-2.5 + +ADD ssl_cert.pem /etc/ssl/certs/ssl_cert.pem +ADD localhost_ssl_key.pem /etc/ssl/private/ssl_key.pem + +RUN chmod 400 /etc/ssl/private/ssl_key.pem +``` + +And a docker-compose.yml to initialize with this configuration: + +``` +services: + postgres: + build: + dockerfile: Dockerfile + context: ssl_secured_docker + environment: + - SSL_CERT_FILE=/etc/ssl/certs/ssl_cert.pem + - SSL_KEY_FILE=/etc/ssl/private/ssl_key.pem +``` + +See [the postgres documentation about SSL](https://www.postgresql.org/docs/11/libpq-ssl.html#LIBQ-SSL-CERTIFICATES) for more information. + + ## Credits Tim Sutton (tim@kartoza.com) diff --git a/env-data.sh b/env-data.sh index f2e8bc3..428c115 100644 --- a/env-data.sh +++ b/env-data.sh @@ -54,6 +54,14 @@ if [ -z "${IP_LIST}" ]; then IP_LIST='*' fi +if [ -z "${SSL_CERT_FILE}" ]; then + SSL_CERT_FILE='/etc/ssl/certs/ssl-cert-snakeoil.pem' +fi + +if [ -z "${SSL_KEY_FILE}" ]; then + SSL_KEY_FILE='/etc/ssl/private/ssl-cert-snakeoil.key' +fi + if [ -z "${POSTGRES_MULTIPLE_EXTENSIONS}" ]; then POSTGRES_MULTIPLE_EXTENSIONS='postgis,hstore,postgis_topology' fi diff --git a/setup-ssl.sh b/setup-ssl.sh index 50eae85..9be8fed 100644 --- a/setup-ssl.sh +++ b/setup-ssl.sh @@ -25,9 +25,11 @@ chmod 0777 ${PGSTAT_TMP} echo "ssl = true" >> $CONF #echo "ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' " >> $CONF #echo "ssl_renegotiation_limit = 512MB " >> $CONF -echo "ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'" >> $CONF -echo "ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'" >> $CONF -#echo "ssl_ca_file = '' # (change requires restart)" >> $CONF +echo "ssl_cert_file = '${SSL_CERT_FILE}'" >> $CONF +echo "ssl_key_file = '${SSL_KEY_FILE}'" >> $CONF +if [ ! -z "${SSL_CA_FILE}" ]; then + echo "ssl_ca_file = '${SSL_CA_FILE}' # (change requires restart)" >> $CONF +fi #echo "ssl_crl_file = ''" >> $CONF # Put lock file to make sure conf was not reinitialized