SQC-652 Implement Hyperdrive TLS proxy in Miniflare

[Ltadrian]

Fixes SQC-652.

This fixes the problem of when a user runs
npx wrangler dev
with a Hyperdrive binding and localConnectionString pointing to a database that requires TLS. In such cases, the command will result in the following TLS error:

{ "error": "connection is insecure (try using `sslmode=require`)" }

This change adds a proxy layer to Miniflare and introduces a proxy service for Hyperdrive bindings. The proxy layer attempts to establish a TLS connection with the appropriate database based on the specified sslmode parameter.

This allows users to simply set sslmode=require in their localConnectionString, enabling their Hyperdrive binding to automatically upgrade to TLS instead of requiring them to manually configure TLS settings in their database driver. (Note: this still will not work without additional changes to the binding service.)

---

• Tests
  • Tests included
  • Tests not necessary because:
• Public documentation
  • Cloudflare docs PR(s): add hyperdrive wrangler dev support for remote db's cloudflare-docs#26545
  • Documentation not necessary because:
• Wrangler V3 Backport
  • Wrangler PR:
  • Not necessary because: New feature behavior

[changeset-bot]

🦋 Changeset detected

Latest commit: d8209a2

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@11219

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@11219

miniflare

npm i https://pkg.pr.new/miniflare@11219

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@11219

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@11219

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@11219

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@11219

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@11219

@cloudflare/workers-utils

npm i https://pkg.pr.new/@cloudflare/workers-utils@11219

wrangler

npm i https://pkg.pr.new/wrangler@11219

commit: d8209a2

[petebacondarwin]

A few questions and suggestions.
But it looks like this is a legitimate failure in CI?
https://github.com/cloudflare/workers-sdk/actions/runs/19313849941/job/55240551979?pr=11219#step:6:3822

[Ltadrian]

A few questions and suggestions. But it looks like this is a legitimate failure in CI? https://github.com/cloudflare/workers-sdk/actions/runs/19313849941/job/55240551979?pr=11219#step:6:3822

Yes this actually was a failure, I had missed this test but should be fixed now

[Ltadrian]

@petebacondarwin think I could get a re-review on this? I fixed some more tests and cleaned up some issues when testing more edge cases. I think currently the tests failing are flaky tests?

[ReppCodes]

Few minor comments, but LGTM!

[vicb]

LGTM.

I have added mostly minor comments / suggestions.

If one thing, I feel like there is quite some code duplication across the PR.

[dario-piotrowicz]

I've had a pretty superficial review of this since this is already approved by two people and also because I don't have much context of this.

Generally looks good to me 😄

[dario-piotrowicz]

nit:

Suggested change

	Implement Hyperdrive binding TLS miniflare proxy. This will allow for wrangler dev hyperdrive bindings to connect to external
	databases that require TLS.
	Implement Hyperdrive binding TLS miniflare proxy. This will allow for wrangler dev hyperdrive bindings to connect to external databases that require TLS.

[petebacondarwin]

Cool. Let's give this a go.