Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SSLMODE to database connection settings #177

Merged
merged 2 commits into from
Dec 10, 2019
Merged

Add SSLMODE to database connection settings #177

merged 2 commits into from
Dec 10, 2019

Conversation

sdktr
Copy link
Contributor

@sdktr sdktr commented Nov 6, 2019

Defaulting to SSLMODE=prefer, optional override using environment variable: DB_SSLMODE

@sdktr
Add SSLMODE to database connection properties
6568dff 
Defaulting to SSLMODE=prefer, optional override using environment variable: DB_SSLMODE
@sdktr sdktr changed the title Add SSLMODE to database connection properties Add SSLMODE to database connection settings Nov 6, 2019
@cimnine cimnine added the enhancement The issue describes an enhancement that we would like to implement in the future. label Nov 17, 2019
@cimnine
Copy link
Collaborator

cimnine commented Nov 17, 2019

Thank you for this PR. Would you mind (a) explaining the motivation for this proposed change and (b) resolving the merge conflict so that this feature would be able to merge?

@cimnine cimnine added the awaiting answer There is still some open discussion. label Nov 25, 2019
@cimnine cimnine added this to the 0.16.0 milestone Nov 26, 2019
@sdktr
Copy link
Contributor Author

sdktr commented Dec 9, 2019
edited
Loading

Thank you for this PR. Would you mind (a) explaining the motivation for this proposed change and (b) resolving the merge conflict so that this feature would be able to merge?

This PR introduces an optional database connection security setting. This allows for accessing (external) postgres backends that happen to prefer or demand a transport layer encryption/authentication other than the default plain text.

To avoid any negative effects for setups that do not include this setting, this PR defaults to 'prefer' which uses SSL if the servers supports it but still runs unaffected when the server has no support.

We've been running with sslmode=require connecting to an Azure Postgres PaaS backend for > 1 month now with good results on performance and security.

sslmode Eavesdropping protection MITM protection Statement
disable No No I don't care about security, and I don't want to pay the overhead of encryption.
allow Maybe No I don't care about security, but I will pay the overhead of encryption if the server insists on it.
prefer Maybe No I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it.
require Yes No I want my data to be encrypted, and I accept the overhead. I trust that the network will make sure I always connect to the server I want.
verify-ca Yes Depends on CA-policy I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server that I trust.
verify-full Yes Yes I want my data encrypted, and I accept the overhead. I want to be sure that I connect to a server I trust, and that it's the one I specify.

@cimnine cimnine changed the base branch from master to develop December 10, 2019 20:48
@cimnine
Copy link
Collaborator

cimnine commented Dec 10, 2019

Thank you for the explanation. I believe you have found the sweet spot between out-of-the-box security and backwards-compatibility with this.

I will merge the PR and it will land in the develop branch. This is our new staging area for future releases of Netbox Docker.

@cimnine cimnine merged commit bf2a21d into netbox-community:develop Dec 10, 2019
@cimnine cimnine mentioned this pull request Dec 21, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cimnine cimnine cimnine approved these changes

Assignees
No one assigned
Labels
awaiting answer There is still some open discussion. enhancement The issue describes an enhancement that we would like to implement in the future.
Projects
None yet
Milestone
0.20.0
Development

Successfully merging this pull request may close these issues.
2 participants
@sdktr @cimnine