mirror of
https://github.com/brianc/node-postgres.git
synced 2026-01-18 15:55:05 +00:00
b4022aa5c0
* Added support for SCRAM-SHA-256-PLUS i.e. channel binding * Requested tweaks to channel binding * Additional tweaks to channel binding * Fixed lint complaints * Update packages/pg/lib/crypto/sasl.js Co-authored-by: Charmander <~@charmander.me> * Update packages/pg/lib/crypto/sasl.js Co-authored-by: Charmander <~@charmander.me> * Update packages/pg/lib/client.js Co-authored-by: Charmander <~@charmander.me> * Tweaks to channel binding * Now using homegrown certificate signature algorithm identification * Update ssl.mdx with channel binding changes * Allow for config object being undefined when assigning enableChannelBinding * Fixed a test failing on an updated error message * Removed - from hash names like SHA-256 for legacy crypto (Node 14 and below) * Removed packageManager key from package.json * Added some SASL/channel binding unit tests * Added a unit test for continueSession to check expected SASL session data * Modify tests: don't require channel binding (which cannot then work) if not using SSL --------- Co-authored-by: Charmander <~@charmander.me>
68 lines
2.2 KiB
Plaintext
68 lines
2.2 KiB
Plaintext
---
|
|
title: SSL
|
|
slug: /features/ssl
|
|
---
|
|
|
|
node-postgres supports TLS/SSL connections to your PostgreSQL server as long as the server is configured to support it. When instantiating a pool or a client you can provide an `ssl` property on the config object and it will be passed to the constructor for the [node TLSSocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket).
|
|
|
|
## Self-signed cert
|
|
|
|
Here's an example of a configuration you can use to connect a client or a pool to a PostgreSQL server.
|
|
|
|
```js
|
|
const config = {
|
|
database: 'database-name',
|
|
host: 'host-or-ip',
|
|
// this object will be passed to the TLSSocket constructor
|
|
ssl: {
|
|
rejectUnauthorized: false,
|
|
ca: fs.readFileSync('/path/to/server-certificates/root.crt').toString(),
|
|
key: fs.readFileSync('/path/to/client-key/postgresql.key').toString(),
|
|
cert: fs.readFileSync('/path/to/client-certificates/postgresql.crt').toString(),
|
|
},
|
|
}
|
|
|
|
import pg from 'pg'
|
|
const { Client, Pool } = pg
|
|
|
|
const client = new Client(config)
|
|
await client.connect()
|
|
console.log('connected')
|
|
await client.end()
|
|
|
|
const pool = new Pool(config)
|
|
const pooledClient = await pool.connect()
|
|
console.log('connected')
|
|
pooledClient.release()
|
|
await pool.end()
|
|
```
|
|
|
|
## Usage with `connectionString`
|
|
|
|
If you plan to use a combination of a database connection string from the environment and SSL settings in the config object directly, then you must avoid including any of `sslcert`, `sslkey`, `sslrootcert`, or `sslmode` in the connection string. If any of these options are used then the `ssl` object is replaced and any additional options provided there will be lost.
|
|
|
|
```js
|
|
const config = {
|
|
connectionString: 'postgres://user:password@host:port/db?sslmode=require',
|
|
// Beware! The ssl object is overwritten when parsing the connectionString
|
|
ssl: {
|
|
rejectUnauthorized: false,
|
|
ca: fs.readFileSync('/path/to/server-certificates/root.crt').toString(),
|
|
},
|
|
}
|
|
```
|
|
|
|
## Channel binding
|
|
|
|
If the PostgreSQL server offers SCRAM-SHA-256-PLUS (i.e. channel binding) for TLS/SSL connections, you can enable this as follows:
|
|
|
|
```js
|
|
const client = new Client({ ...config, enableChannelBinding: true})
|
|
```
|
|
|
|
or
|
|
|
|
```js
|
|
const pool = new Pool({ ...config, enableChannelBinding: true})
|
|
```
|