mirror of
https://github.com/plausible/analytics.git
synced 2024-12-24 01:54:34 +03:00
Update Postgrex SSL config (#4460)
* update postgrex config * enable ssl only if DATABASE_CACERTFILE is set * update tests * changelog --------- Co-authored-by: Cenk Kücük <cenk@plausible.io>
This commit is contained in:
parent
e9dd895d6c
commit
19ecd3d0ee
@ -34,6 +34,7 @@ All notable changes to this project will be documented in this file.
|
|||||||
- `bounce_rate` metric now returns 0 instead of null for event:page breakdown when page has never been entry page.
|
- `bounce_rate` metric now returns 0 instead of null for event:page breakdown when page has never been entry page.
|
||||||
- Make `TOTP_VAULT_KEY` optional plausible/analytics#4317
|
- Make `TOTP_VAULT_KEY` optional plausible/analytics#4317
|
||||||
- Sources like 'google' and 'facebook' are now stored in capitalized forms ('Google', 'Facebook') plausible/analytics#4417
|
- Sources like 'google' and 'facebook' are now stored in capitalized forms ('Google', 'Facebook') plausible/analytics#4417
|
||||||
|
- `DATABASE_CACERTFILE` now forces TLS for PostgreSQL connections, so you don't need to add `?ssl=true` in `DATABASE_URL`
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
|
|
||||||
|
@ -353,7 +353,7 @@ if db_socket_dir = get_var_from_path_or_env(config_dir, "DATABASE_SOCKET_DIR") d
|
|||||||
""")
|
""")
|
||||||
end
|
end
|
||||||
|
|
||||||
db_cacertfile = get_var_from_path_or_env(config_dir, "DATABASE_CACERTFILE", CAStore.file_path())
|
db_cacertfile = get_var_from_path_or_env(config_dir, "DATABASE_CACERTFILE")
|
||||||
%URI{host: db_host} = db_uri = URI.parse(db_url)
|
%URI{host: db_host} = db_uri = URI.parse(db_url)
|
||||||
db_socket_dir? = String.starts_with?(db_host, "%2F") or db_host == ""
|
db_socket_dir? = String.starts_with?(db_host, "%2F") or db_host == ""
|
||||||
|
|
||||||
@ -382,14 +382,11 @@ if db_socket_dir? do
|
|||||||
else
|
else
|
||||||
config :plausible, Plausible.Repo,
|
config :plausible, Plausible.Repo,
|
||||||
url: db_url,
|
url: db_url,
|
||||||
socket_options: db_maybe_ipv6,
|
socket_options: db_maybe_ipv6
|
||||||
ssl_opts: [
|
|
||||||
cacertfile: db_cacertfile,
|
if db_cacertfile do
|
||||||
verify: :verify_peer,
|
config :plausible, Plausible.Repo, ssl: [cacertfile: db_cacertfile]
|
||||||
customize_hostname_check: [
|
end
|
||||||
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
|
|
||||||
]
|
|
||||||
]
|
|
||||||
end
|
end
|
||||||
|
|
||||||
sentry_app_version = runtime_metadata[:version] || app_version
|
sentry_app_version = runtime_metadata[:version] || app_version
|
||||||
|
@ -359,14 +359,7 @@ defmodule Plausible.ConfigTest do
|
|||||||
|
|
||||||
assert get_in(config, [:plausible, Plausible.Repo]) == [
|
assert get_in(config, [:plausible, Plausible.Repo]) == [
|
||||||
url: "postgres://postgres:postgres@plausible_db:5432/plausible_db",
|
url: "postgres://postgres:postgres@plausible_db:5432/plausible_db",
|
||||||
socket_options: [],
|
socket_options: []
|
||||||
ssl_opts: [
|
|
||||||
cacertfile: CAStore.file_path(),
|
|
||||||
verify: :verify_peer,
|
|
||||||
customize_hostname_check: [
|
|
||||||
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
|
|
||||||
]
|
|
||||||
]
|
|
||||||
]
|
]
|
||||||
end
|
end
|
||||||
|
|
||||||
@ -405,17 +398,27 @@ defmodule Plausible.ConfigTest do
|
|||||||
|
|
||||||
config = runtime_config(env)
|
config = runtime_config(env)
|
||||||
|
|
||||||
|
assert get_in(config, [:plausible, Plausible.Repo]) == [
|
||||||
|
url:
|
||||||
|
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb",
|
||||||
|
socket_options: []
|
||||||
|
]
|
||||||
|
end
|
||||||
|
|
||||||
|
test "DATABASE_CACERTFILE enables SSL" do
|
||||||
|
env = [
|
||||||
|
{"DATABASE_URL",
|
||||||
|
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb"},
|
||||||
|
{"DATABASE_CACERTFILE", "/path/to/cacert.pem"}
|
||||||
|
]
|
||||||
|
|
||||||
|
config = runtime_config(env)
|
||||||
|
|
||||||
assert get_in(config, [:plausible, Plausible.Repo]) == [
|
assert get_in(config, [:plausible, Plausible.Repo]) == [
|
||||||
url:
|
url:
|
||||||
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb",
|
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb",
|
||||||
socket_options: [],
|
socket_options: [],
|
||||||
ssl_opts: [
|
ssl: [cacertfile: "/path/to/cacert.pem"]
|
||||||
cacertfile: CAStore.file_path(),
|
|
||||||
verify: :verify_peer,
|
|
||||||
customize_hostname_check: [
|
|
||||||
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
|
|
||||||
]
|
|
||||||
]
|
|
||||||
]
|
]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user