kopia lustrzana https://github.com/kartoza/docker-postgis
Force cllients to connect with SSL
rodzic
0beb1ece8f
commit
ae656a2f72
10
README.md
10
README.md
|
@ -400,6 +400,8 @@ See [the postgres documentation about SSL](https://www.postgresql.org/docs/11/li
|
|||
|
||||
See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information.
|
||||
|
||||
To force SSL connection between clients you need to use the environment
|
||||
variable `FORCE_SSL=TRUE`
|
||||
|
||||
## Postgres Replication Setup
|
||||
|
||||
|
@ -559,6 +561,14 @@ docker run --name "logical-replication" -e WAL_LEVEL=logical -d kartoza/postgis
|
|||
```
|
||||
For a detailed example see the docker-compose in the folder `sample/logical_replication`.
|
||||
|
||||
### Docker image versions
|
||||
All instructions mentioned in the README are valid for the latest running image.
|
||||
Other docker images might have a few missing features than the ones in the
|
||||
latest image. We mainly do not back port changes to current stable images that are being
|
||||
used in production. However, if you feel that some changes included
|
||||
in the latest tagged version of the image are essential for the previous image
|
||||
you can cherry pick the changes against that specific branch and we will
|
||||
test and merge.
|
||||
|
||||
### Support
|
||||
|
||||
|
|
|
@ -266,6 +266,10 @@ if [ -z "${ALL_DATABASES}" ]; then
|
|||
ALL_DATABASES=FALSE
|
||||
fi
|
||||
|
||||
if [ -z "${FORCE_SSL}" ]; then
|
||||
FORCE_SSL=FALSE
|
||||
fi
|
||||
|
||||
# Compatibility with official postgres variable
|
||||
# Official postgres variable gets priority
|
||||
if [ -n "${POSTGRES_PASSWORD}" ]; then
|
||||
|
|
|
@ -12,24 +12,35 @@ fi
|
|||
# Reconfigure pg_hba if environment settings changed
|
||||
cat ${ROOT_CONF}/pg_hba.conf.template > ${ROOT_CONF}/pg_hba.conf
|
||||
|
||||
if [[ "$FORCE_SSL" =~ [Tt][Rr][Uu][Ee] ]]; then
|
||||
PG_CONF_HOST='hostssl'
|
||||
CERT_AUTH='cert'
|
||||
else
|
||||
PG_CONF_HOST='host'
|
||||
CERT_AUTH=${PASSWORD_AUTHENTICATION}
|
||||
|
||||
fi
|
||||
|
||||
|
||||
|
||||
# Restrict subnet to docker private network
|
||||
echo "host all all 172.0.0.0/8 ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf
|
||||
echo "$PG_CONF_HOST all all 172.0.0.0/8 ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
|
||||
# And allow access from DockerToolbox / Boot to docker on OSX
|
||||
echo "host all all 192.168.0.0/16 ${PASSWORD_AUTHENTICATION}" >> $ROOT_CONF/pg_hba.conf
|
||||
echo "$PG_CONF_HOST all all 192.168.0.0/16 ${CERT_AUTH}" >> $ROOT_CONF/pg_hba.conf
|
||||
|
||||
# Custom IP range via docker run -e (https://docs.docker.com/engine/reference/run/#env-environment-variables)
|
||||
# Usage is: docker run [...] -e ALLOW_IP_RANGE='192.168.0.0/16'
|
||||
if [[ -n "$ALLOW_IP_RANGE" ]]
|
||||
then
|
||||
echo "Add rule to pg_hba: $ALLOW_IP_RANGE"
|
||||
echo "host all all $ALLOW_IP_RANGE ${PASSWORD_AUTHENTICATION}" >> ${ROOT_CONF}/pg_hba.conf
|
||||
echo "$PG_CONF_HOST all all $ALLOW_IP_RANGE ${CERT_AUTH}" >> ${ROOT_CONF}/pg_hba.conf
|
||||
fi
|
||||
|
||||
# check password first so we can output the warning before postgres
|
||||
# messes it up
|
||||
if [[ "$POSTGRES_PASS" ]]; then
|
||||
pass="PASSWORD '$POSTGRES_PASS'"
|
||||
authMethod=${PASSWORD_AUTHENTICATION}
|
||||
authMethod=${CERT_AUTH}
|
||||
else
|
||||
# The - option suppresses leading tabs but *not* spaces. :)
|
||||
cat >&2 <<-'EOWARN'
|
||||
|
@ -54,7 +65,7 @@ if [[ -z "$REPLICATE_FROM" ]]; then
|
|||
# if env not set, then assume this is master instance
|
||||
# add rules to pg_hba.conf to allow replication from all
|
||||
echo "Add rule to pg_hba: replication ${REPLICATION_USER} "
|
||||
echo "host replication ${REPLICATION_USER} ${ALLOW_IP_RANGE} $authMethod" >> ${ROOT_CONF}/pg_hba.conf
|
||||
echo "$PG_CONF_HOST replication ${REPLICATION_USER} ${ALLOW_IP_RANGE} $authMethod" >> ${ROOT_CONF}/pg_hba.conf
|
||||
fi
|
||||
|
||||
# Put lock file to make sure conf was not reinitialized
|
||||
|
|
|
@ -22,11 +22,7 @@ mkdir -p ${PGSTAT_TMP}
|
|||
chmod 0777 ${PGSTAT_TMP}
|
||||
|
||||
# moved from setup.sh
|
||||
if [[ -f ${ROOT_CONF}/ssl.conf ]];then
|
||||
rm $CONF/ssl.conf
|
||||
fi
|
||||
|
||||
cat >> ${ROOT_CONF}/ssl.conf <<EOF
|
||||
cat > ${ROOT_CONF}/ssl.conf <<EOF
|
||||
ssl = true
|
||||
ssl_cert_file = '${SSL_CERT_FILE}'
|
||||
ssl_key_file = '${SSL_KEY_FILE}'
|
||||
|
|
Ładowanie…
Reference in New Issue