doc: add instructions for SSL DB connections
Walk through an advanced workflow of enabling SSL connections for postgresql.
This commit is contained in:
Ken Dreyer
parent
3aeefaaec8
commit
1434835ef7
1 changed files with 54 additions and 0 deletions
|
|
@ -130,3 +130,57 @@ existing tables.
|
||||||
SELECT partition_buildroot_listing();
|
SELECT partition_buildroot_listing();
|
||||||
DROP FUNCTION partition_buildroot_listing();
|
DROP FUNCTION partition_buildroot_listing();
|
||||||
COMMIT;
|
COMMIT;
|
||||||
|
|
||||||
|
Using SSL with PostgreSQL
|
||||||
|
-------------------------
|
||||||
|
|
||||||
|
The basic :doc:`Koji server walkthrough <server_howto>` and sample
|
||||||
|
configuration files instruct users to use plaintext TCP/IP connections to the
|
||||||
|
postgresql server. This is not a good practice, and it is more secure to use
|
||||||
|
SSL. You'll need to configure the postgresql server to accept SSL connections,
|
||||||
|
and then configure the Koji Hub to only use a trusted SSL connection.
|
||||||
|
|
||||||
|
Enabling SSL on the PostgreSQL server
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Edit ``/var/lib/pgsql/data/postgresql.conf``:
|
||||||
|
|
||||||
|
* Enable SSL with ``ssl = on``
|
||||||
|
* The ``listen_addresses`` option cannot be empty. ``listen_addresses = '*'``
|
||||||
|
will make postgres listen on every network interface (simpler), or you can
|
||||||
|
restrict it to only certain network interfaces.
|
||||||
|
|
||||||
|
Create two files:
|
||||||
|
|
||||||
|
* ``/var/lib/pgsql/data/server.crt`` - This is the public signed certificate.
|
||||||
|
It should include the full chain (including the CA and any intermediates).
|
||||||
|
* ``/var/lib/pgsql/data/server.key`` - The private key.
|
||||||
|
|
||||||
|
Set the ownership appropriately::
|
||||||
|
|
||||||
|
chown postgres:postgres /var/lib/pgsql/data/server.{crt,key}
|
||||||
|
chmod 0600 /var/lib/pgsql/data/server.key
|
||||||
|
|
||||||
|
Restart postgresql for the new settings to take effect::
|
||||||
|
|
||||||
|
systemctl restart postgresql
|
||||||
|
|
||||||
|
Configuring the Koji hub to use SSL to Postgres
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Once you've enabled SSL on the PostgreSQL server, you can test it with the
|
||||||
|
CLI::
|
||||||
|
|
||||||
|
psql 'postgresql://koji:example_password@db.example.com/koji?sslmode=verify-full&sslrootcert=/etc/pki/tls/certs/ca-bundle.trust.crt'
|
||||||
|
|
||||||
|
You should be able to list tables, run queries, etc.
|
||||||
|
|
||||||
|
Edit ``/etc/koji-hub/hub.conf`` to use this connection string::
|
||||||
|
|
||||||
|
DBConnectionString = postgresql://koji:example_password@kojidev.example.com/koji?sslmode=verify-full&sslrootcert=/etc/pki/tls/certs/ca-bundle.trust.crt
|
||||||
|
|
||||||
|
Restart the hub and verify the new ``DBConnectionString`` is working::
|
||||||
|
|
||||||
|
systemctl restart httpd
|
||||||
|
|
||||||
|
koji hello
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue