chore(electric): Flip the default value of DATABASE_REQUIRE_SSL to true
#767
Conversation
alco
force-pushed
the
alco/sslmode
branch
2 times, most recently
from
b1e2e0e
to
e2296cf
Compare
alco
changed the title
DATABASE_REQUIRE_SSL to true
There was a problem hiding this comment.
I'm sure you've thought about this but isn't there an "optimistic" version of this setting that will try ssl then fallback if it doesn't work? wouldn't that work everywhere? in this pr you refuse use of the sslmode param but isn't sslmode=prefer exactly the behaviour we want? i.e. the client sends an SSLRequest message and the server responds with either S or N
|
@magnetised This PR bundles a couple of independent changes:
|
|
@alco thanks for the clarification. |
alco
force-pushed
the
alco/database-use-ipv6
branch
from
f7b9f27
to
4ba0ecc
Compare
This is an edge case that's not handled by epgsql. Epgsql can handle the case where it tries to establish an SSL connection but gets back a "no encryption" response from Postgres. It will keep the connection open, though it will be unencrypted. However, Fly Postgres seems to always close its end of the connection if it's not configured to run in SSL mode. Epgsql does not try to reconnect in this case, so we do this ourselves after removing the SSL connection option.
We override the value of "replication" anyway, so it doesn't make sense to allow it to be passed in. As for the sslmode, we do not support all the options that psql does. Our rules are simpler: use SSL by default but allow falling back to unencrypted connections by setting DATABASE_REQUIRE_SSL to false.
|
FYI I had to implement SSL support in the proxy because it wouldn't be able to establish an upstream connection when the database was configured to require SSL. I'm baffled at the fact that we haven't noticed this until now. |
I've seen Postgres reject connections when this setting was set to its default value.
This authentication method is used by Neon. And it's related to the SSL implementation here because there's no way Postgres would be requesting a cleartext password over an unencrypted connection.
This is a better default for any environment other than, perhaps, dev.
Until now, connecting to a Postgres that was configured to only accept SSL connection would result in a cryptic
invalid_authorization_specificationerror (FWIW the same error may be logged when Postgres is configured to only accept unencrypted connection, but this is a rare edge case). That was the case with Crunchy Bridge and AWS RDS.With this new default, more hosted databases should be supported out of the box. One prominent exception is Fly Postgres (at least prior to its takeover by Supabase): since Fly machine all connect to the same encrypted private network, there is no benefit of an additional encryption for database connections on top of that. For cases like this, we need to print a friendly error message instructing the developer to set
DATABASE_REQUIRE_SSL=falsein their Electric configuration. This will be addressed in #762.Note that Electric also needs to be able to verify the database host's authenticity to prevent man-in-the-middle attacks. I've filed VAX-1446 to address this at a later time.
Also, the added burden of setting
DATABASE_REQUIRE_SSL=falsein dev is not lost on me. I'm implementing support for.envfiles in #770. That will remove some configuration-related woes in dev.