Image that configures Postgres before starting it.
To automate dealing with specific users accessing from specific networks to a postgres server.
It tries to configure as good as possible, differentiating between connections made from LAN (docker networks attached) and from WAN (all others). This is done at entrypoint time, because it's the only way to know dynamic IP ranges in attached networks.
Then it generates appropriate postgres.conf and pg_hba.conf files.
It doesn't validate your settings, so you should be aware of proper configuration:
- Do not set
certauth method ifclient.ca.cert.pemis not supplied. - Do not enable TLS if
server.cert.pemandserver.key.pemare not supplied. - Do not publish ports without encryption.
- Use good passwords if you don't use cert auth.
Variables' defaults are all found in the Dockerfile.
The container is mainly configured via these environment variables:
JSON object with some or all of these keys:
client.ca.cert.pem: PEM contents for Postgres'ssl_ca_fileparameter. Enablescertauthentication in remote postgres clients. It's the most secure remote auth option. All clients must authenticate with a cert signed by this CA.server.cert.pem: PEM contents for Postgres'ssl_cert_fileparameter. The Postgres server will identify himself and encrypt the connection with this certificate.server.key.pem: PEM contents for Postgres'ssl_key_fileparameter. The Postgres server will identify himself and encrypt the connection with this private key.
If you pass server.cert.pem, you should pass server.key.pem too, and viceversa, or TLS encryption will not be properly configured. You also need both of them if you use client.ca.cert.pem.
It is safer to mount files with secrets instead of passing a JSON string in an env variable. You can mount the equivalents:
/etc/postgres/client.ca.cert.pem/etc/postgres/server.cert.pem/etc/postgres/server.key.pem
String with contents appended to the generated postgres.conf file.
Method required to authenticate clients that connect from LAN.
Connection type allowed for LAN connections.
JSON array with database names whose access is allowed from LAN.
Template applied for each combination of LAN CIDR/USER/DATABASE in the pg_hba.conf file.
Some placeholders can be expanded. See the Dockerfile to know them.
Wether to enable or not TLS in LAN connections.
Users allowed to connect from LAN.
Method required to authenticate clients that connect from WAN.
Connection type allowed for WAN connections. If it is hostssl, it will only have effect when the required certs are received.
JSON array with database names whose access is allowed from WAN.
Template applied for each combination of USER/DATABASE in the pg_hba.conf file, for public connections.
Some placeholders can be expanded. See the Dockerfile to know them.
Wether to enable or not TLS in WAN connections.
Users allowed to connect from WAN.