Force cllients to connect with SSL

README.md

@@ -400,6 +400,8 @@ See [the postgres documentation about SSL](https://www.postgresql.org/docs/11/li
 
 See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information.
 
+To force SSL connection between clients you need to use the environment 
+variable `FORCE_SSL=TRUE`
 
 ## Postgres Replication Setup
 
@@ -559,6 +561,14 @@ docker run --name "logical-replication" -e WAL_LEVEL=logical -d  kartoza/postgis
 ```
 For a detailed example see the docker-compose in the folder `sample/logical_replication`.
 
+### Docker image versions
+All instructions mentioned in the README are valid for the latest running image.
+Other docker images might have a few missing features than the ones in the 
+latest image. We mainly do not back port changes to current stable images that are being 
+used in production. However, if you feel that some  changes included
+in the latest tagged version of the image are essential for the previous image
+you can cherry pick the changes against that specific branch and we will 
+test and merge.
 
 ### Support
 

scripts/env-data.sh

@@ -266,6 +266,10 @@ if [ -z "${ALL_DATABASES}" ]; then
   ALL_DATABASES=FALSE
 fi
 
+if [ -z "${FORCE_SSL}" ]; then
+  FORCE_SSL=FALSE
+fi
+
 # Compatibility with official postgres variable
 # Official postgres variable gets priority
 if [ -n "${POSTGRES_PASSWORD}" ]; then

scripts/setup-pg_hba.sh

@@ -12,24 +12,35 @@ fi
 # Reconfigure pg_hba if environment settings changed
 cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
 
+if [[ "$FORCE_SSL" =~ [Tt][Rr][Uu][Ee] ]]; then
+  PG_CONF_HOST='hostssl'
+  CERT_AUTH='cert'
+else
+   PG_CONF_HOST='host'
+   CERT_AUTH=${PASSWORD_AUTHENTICATION}
+
+fi
+
+
+
 # Restrict subnet to docker private network
-echo "host    all             all             172.0.0.0/8              ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf
+echo "$PG_CONF_HOST   all             all             172.0.0.0/8              ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
 # And allow access from DockerToolbox / Boot to docker on OSX
-echo "host    all             all             192.168.0.0/16               ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf
+echo "$PG_CONF_HOST    all             all             192.168.0.0/16               ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
 
 # Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables)
 # Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16'
 if [[ -n "$ALLOW_IP_RANGE" ]]
 then
 	echo "Add rule to pg_hba: $ALLOW_IP_RANGE"
- 	echo "host    all             all             $ALLOW_IP_RANGE              ${PASSWORD_AUTHENTICATION}" >> ${ROOT_CONF}/pg_hba.conf
+ 	echo "$PG_CONF_HOST   all             all             $ALLOW_IP_RANGE              ${CERT_AUTH}" >> ${ROOT_CONF}/pg_hba.conf
 fi
 
 # check password first so we can output the warning before postgres
 # messes it up
 if [[ "$POSTGRES_PASS" ]]; then
 	pass="PASSWORD '$POSTGRES_PASS'"
-	authMethod=${PASSWORD_AUTHENTICATION}
+	authMethod=${CERT_AUTH}
 else
 	# The - option suppresses leading tabs but *not* spaces. :)
 	cat >&2 <<-'EOWARN'
@@ -54,7 +65,7 @@ if [[ -z "$REPLICATE_FROM" ]]; then
 	# if env not set, then assume this is master instance
 	# add rules to pg_hba.conf to allow replication from all
 	echo "Add rule to pg_hba: replication ${REPLICATION_USER} "
-	echo "host    replication            ${REPLICATION_USER}             ${ALLOW_IP_RANGE}          $authMethod" >> ${ROOT_CONF}/pg_hba.conf
+	echo "$PG_CONF_HOST   replication            ${REPLICATION_USER}             ${ALLOW_IP_RANGE}          $authMethod" >> ${ROOT_CONF}/pg_hba.conf
 fi
 
 # Put lock file to make sure conf was not reinitialized

scripts/setup-ssl.sh

@@ -22,11 +22,7 @@ mkdir -p ${PGSTAT_TMP}
 chmod 0777 ${PGSTAT_TMP}
 
 # moved from setup.sh
-if [[  -f ${ROOT_CONF}/ssl.conf ]];then
-    rm $CONF/ssl.conf
-fi
-
-cat >> ${ROOT_CONF}/ssl.conf <<EOF
+cat > ${ROOT_CONF}/ssl.conf <<EOF
 ssl = true
 ssl_cert_file = '${SSL_CERT_FILE}'
 ssl_key_file = '${SSL_KEY_FILE}'