73 lines
2.5 KiB
Markdown
73 lines
2.5 KiB
Markdown
# Postgre-TLS - Secure PostgreSQL Docker Setup with SSL/TLS
|
|
|
|
A secure PostgreSQL Docker container with enforced SSL/TLS encryption, certificate verification, and advanced security features.
|
|
|
|
## Docker Images
|
|
|
|
This project builds and publishes Docker images to the git.nixc.us registry:
|
|
- **Unstable**: `git.nixc.us/postgre-tls:unstable` (latest development)
|
|
- **Stable**: `git.nixc.us/postgre-tls:stable` (stable releases)
|
|
|
|
## Features
|
|
|
|
- **SSL/TLS Encryption**: TLSv1.3 with 256-bit AES-GCM encryption
|
|
- **Certificate Verification**: Full SSL certificate verification enabled
|
|
- **SCRAM-SHA-256 Authentication**: Secure password authentication
|
|
- **Row-Level Security**: Built-in support for fine-grained access control
|
|
- **Audit Logging**: Comprehensive audit trail for database operations
|
|
- **Data Integrity**: Checksums enabled for data corruption detection
|
|
- **Monitoring**: Built-in performance monitoring with pg_stat_statements
|
|
- **Encryption Functions**: pgcrypto extension for additional encryption capabilities
|
|
|
|
## Quick Start
|
|
|
|
1. **Start the PostgreSQL container**:
|
|
```bash
|
|
./start.sh
|
|
```
|
|
|
|
2. **Connect to the database**:
|
|
```bash
|
|
./connect.sh
|
|
```
|
|
|
|
3. **Stop the container**:
|
|
```bash
|
|
docker-compose down
|
|
```
|
|
|
|
## SSL Connection Details
|
|
|
|
The setup provides enterprise-grade security with:
|
|
- **Encryption**: TLSv1.3 with TLS_AES_256_GCM_SHA384 cipher
|
|
- **Key Size**: 256-bit encryption
|
|
- **Certificate**: Self-signed with full verification
|
|
- **Authentication**: SCRAM-SHA-256 password hashing
|
|
|
|
## Manual Connection
|
|
|
|
You can also connect manually using psql:
|
|
```bash
|
|
psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca_crt"
|
|
```
|
|
|
|
For non-interactive connection, set the PGPASSWORD environment variable:
|
|
```bash
|
|
export PGPASSWORD=$(cat secrets/postgres_password || echo "change_me_in_production")
|
|
psql "host=localhost port=5432 dbname=postgre_tls user=postgre_tls_user sslmode=verify-full sslrootcert=secrets/ca_crt"
|
|
```
|
|
|
|
## Project Structure
|
|
|
|
```
|
|
Postgre-TLS/
|
|
├── docker-compose.yml # Container configuration
|
|
├── Dockerfile # Container image definition
|
|
├── start.sh # Initialization and startup script
|
|
├── connect.sh # SSL connection test script
|
|
├── postgresql.conf # PostgreSQL configuration
|
|
├── USAGE.md # Usage guide and commands
|
|
├── data/ # PostgreSQL data directory
|
|
├── secrets/ # SSL certificates and passwords
|
|
└── logs/ # Container logs
|
|
``` |