From ae656a2f722d44a531601f71bfe7d80f62af3608 Mon Sep 17 00:00:00 2001
From: admire <admire@kartoza.com>
Date: Tue, 4 May 2021 13:10:19 +0200
Subject: [PATCH] Force cllients to connect with SSL

---
 README.md               | 10 ++++++++++
 scripts/env-data.sh     |  4 ++++
 scripts/setup-pg_hba.sh | 21 ++++++++++++++++-----
 scripts/setup-ssl.sh    |  6 +-----
 4 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index e9ac504..d1ed706 100644
--- a/README.md
+++ b/README.md
@@ -400,6 +400,8 @@ See [the postgres documentation about SSL](https://www.postgresql.org/docs/11/li
 
 See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information.
 
+To force SSL connection between clients you need to use the environment 
+variable `FORCE_SSL=TRUE`
 
 ## Postgres Replication Setup
 
@@ -559,6 +561,14 @@ docker run --name "logical-replication" -e WAL_LEVEL=logical -d  kartoza/postgis
 ```
 For a detailed example see the docker-compose in the folder `sample/logical_replication`.
 
+### Docker image versions
+All instructions mentioned in the README are valid for the latest running image.
+Other docker images might have a few missing features than the ones in the 
+latest image. We mainly do not back port changes to current stable images that are being 
+used in production. However, if you feel that some  changes included
+in the latest tagged version of the image are essential for the previous image
+you can cherry pick the changes against that specific branch and we will 
+test and merge.
 
 ### Support
 
diff --git a/scripts/env-data.sh b/scripts/env-data.sh
index d7686a6..176dbec 100644
--- a/scripts/env-data.sh
+++ b/scripts/env-data.sh
@@ -266,6 +266,10 @@ if [ -z "${ALL_DATABASES}" ]; then
   ALL_DATABASES=FALSE
 fi
 
+if [ -z "${FORCE_SSL}" ]; then
+  FORCE_SSL=FALSE
+fi
+
 # Compatibility with official postgres variable
 # Official postgres variable gets priority
 if [ -n "${POSTGRES_PASSWORD}" ]; then
diff --git a/scripts/setup-pg_hba.sh b/scripts/setup-pg_hba.sh
index 6883c04..6043360 100644
--- a/scripts/setup-pg_hba.sh
+++ b/scripts/setup-pg_hba.sh
@@ -12,24 +12,35 @@ fi
 # Reconfigure pg_hba if environment settings changed
 cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
 
+if [[ "$FORCE_SSL" =~ [Tt][Rr][Uu][Ee] ]]; then
+  PG_CONF_HOST='hostssl'
+  CERT_AUTH='cert'
+else
+   PG_CONF_HOST='host'
+   CERT_AUTH=${PASSWORD_AUTHENTICATION}
+
+fi
+
+
+
 # Restrict subnet to docker private network
-echo "host    all             all             172.0.0.0/8              ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf
+echo "$PG_CONF_HOST   all             all             172.0.0.0/8              ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
 # And allow access from DockerToolbox / Boot to docker on OSX
-echo "host    all             all             192.168.0.0/16               ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf
+echo "$PG_CONF_HOST    all             all             192.168.0.0/16               ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
 
 # Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables)
 # Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16'
 if [[ -n "$ALLOW_IP_RANGE" ]]
 then
 	echo "Add rule to pg_hba: $ALLOW_IP_RANGE"
- 	echo "host    all             all             $ALLOW_IP_RANGE              ${PASSWORD_AUTHENTICATION}" >> ${ROOT_CONF}/pg_hba.conf
+ 	echo "$PG_CONF_HOST   all             all             $ALLOW_IP_RANGE              ${CERT_AUTH}" >> ${ROOT_CONF}/pg_hba.conf
 fi
 
 # check password first so we can output the warning before postgres
 # messes it up
 if [[ "$POSTGRES_PASS" ]]; then
 	pass="PASSWORD '$POSTGRES_PASS'"
-	authMethod=${PASSWORD_AUTHENTICATION}
+	authMethod=${CERT_AUTH}
 else
 	# The - option suppresses leading tabs but *not* spaces. :)
 	cat >&2 <<-'EOWARN'
@@ -54,7 +65,7 @@ if [[ -z "$REPLICATE_FROM" ]]; then
 	# if env not set, then assume this is master instance
 	# add rules to pg_hba.conf to allow replication from all
 	echo "Add rule to pg_hba: replication ${REPLICATION_USER} "
-	echo "host    replication            ${REPLICATION_USER}             ${ALLOW_IP_RANGE}          $authMethod" >> ${ROOT_CONF}/pg_hba.conf
+	echo "$PG_CONF_HOST   replication            ${REPLICATION_USER}             ${ALLOW_IP_RANGE}          $authMethod" >> ${ROOT_CONF}/pg_hba.conf
 fi
 
 # Put lock file to make sure conf was not reinitialized
diff --git a/scripts/setup-ssl.sh b/scripts/setup-ssl.sh
index 0fa12a9..bedf906 100644
--- a/scripts/setup-ssl.sh
+++ b/scripts/setup-ssl.sh
@@ -22,11 +22,7 @@ mkdir -p ${PGSTAT_TMP}
 chmod 0777 ${PGSTAT_TMP}
 
 # moved from setup.sh
-if [[  -f ${ROOT_CONF}/ssl.conf ]];then
-    rm $CONF/ssl.conf
-fi
-
-cat >> ${ROOT_CONF}/ssl.conf <<EOF
+cat > ${ROOT_CONF}/ssl.conf <<EOF
 ssl = true
 ssl_cert_file = '${SSL_CERT_FILE}'
 ssl_key_file = '${SSL_KEY_FILE}'