search

fastify / fastify-postgres

Fastify PostgreSQL connection plugin
MIT License
186 stars 34 forks source link

There is no documentation for how to work with SSL #135

Open imf opened 2 years ago

imf commented 2 years ago

Prerequisites

Fastify version

4.0.2

Plugin version

5.0.0

Node.js version

16.15.0

Operating system

macOS

Operating system version (i.e. 20.04, 11.3, 10)

12.4

Description

I was looking for how to disable rejectUnauthorized (or how to work with SSL in general) and found nothing in the documentation.

Enabling SSL by passing ssl=true as a query parameter worked, but only got me to the database rejecting a self-signed cert.

Further, I imagined that passing the standard structure for parameters into the config hash might work... I got as far as this (somewhat janky) config... which unfortunately didn't work.

fastify.register(require('@fastify/postgres'), {
  connectionString: process.env.DATABASE_URL + '?ssl=true',
  ssl: {
    rejectUnauthorized: false
  }
})

The specific use case is 'connect to a Heroku-hosted DB from a Heroku-hosted Fastify app' which is likely a common use case. Since the latest Postgres library defaults to rejectUnauthorized being 'true' I'm guessing this is what 'broke' things. (Though of course this behavior is more correct.)

Steps to Reproduce

Try to configure SSL.

Expected Behavior

I'd find some documentation for how to configure SSL.

climba03003 commented 2 years ago

We pass the option directly to pg. I think if there are some problem with the option. It would be upstream problem. https://github.com/fastify/fastify-postgres/blob/master/index.js#L90

imf commented 2 years ago

Adding documentation for how this should be configured in fastify sounds like it would be pretty simple in that case, no? (They're not going to document how you should configure Fastify to use SSL.)

climba03003 commented 2 years ago

From what I means in previous comment, if you believe the option that is not works is a bug. Then, it should be a upstream issue.

Adding documentation for how this should be configured in fastify sounds like it would be pretty simple in that case, no?

I would not block any PR for the document update. Here is the information about SSL from node-postgres

If you plan to use a combination of a database connection string from the environment and SSL settings in the config object directly, then you must avoid including any of sslcert, sslkey, sslrootcert, or sslmode in the connection string. If any of these options are used then the ssl object is replaced and any additional options provided there will be lost.

The above statement is not totally true, ssl in connection string also replace the ssl option. Which means when you using both connection string and option. connection string always take precedent.

tweenietomatoes commented 2 years ago

postgres://username:password@host:port/databasename?sslmode=verify-full&sslrootcert=yourrootcert&sslcert=yourclientcertificate&sslkey=yourclientkey

just working fine.