Update Postgrex SSL config (#4460)

* update postgrex config

* enable ssl only if DATABASE_CACERTFILE is set

* update tests

* changelog

---------

Co-authored-by: Cenk Kücük <cenk@plausible.io>
This commit is contained in:
ruslandoga 2024-08-30 17:11:36 +07:00 committed by GitHub
parent e9dd895d6c
commit 19ecd3d0ee
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 25 additions and 24 deletions

View File

@ -34,6 +34,7 @@ All notable changes to this project will be documented in this file.
- `bounce_rate` metric now returns 0 instead of null for event:page breakdown when page has never been entry page. - `bounce_rate` metric now returns 0 instead of null for event:page breakdown when page has never been entry page.
- Make `TOTP_VAULT_KEY` optional plausible/analytics#4317 - Make `TOTP_VAULT_KEY` optional plausible/analytics#4317
- Sources like 'google' and 'facebook' are now stored in capitalized forms ('Google', 'Facebook') plausible/analytics#4417 - Sources like 'google' and 'facebook' are now stored in capitalized forms ('Google', 'Facebook') plausible/analytics#4417
- `DATABASE_CACERTFILE` now forces TLS for PostgreSQL connections, so you don't need to add `?ssl=true` in `DATABASE_URL`
### Fixed ### Fixed

View File

@ -353,7 +353,7 @@ if db_socket_dir = get_var_from_path_or_env(config_dir, "DATABASE_SOCKET_DIR") d
""") """)
end end
db_cacertfile = get_var_from_path_or_env(config_dir, "DATABASE_CACERTFILE", CAStore.file_path()) db_cacertfile = get_var_from_path_or_env(config_dir, "DATABASE_CACERTFILE")
%URI{host: db_host} = db_uri = URI.parse(db_url) %URI{host: db_host} = db_uri = URI.parse(db_url)
db_socket_dir? = String.starts_with?(db_host, "%2F") or db_host == "" db_socket_dir? = String.starts_with?(db_host, "%2F") or db_host == ""
@ -382,14 +382,11 @@ if db_socket_dir? do
else else
config :plausible, Plausible.Repo, config :plausible, Plausible.Repo,
url: db_url, url: db_url,
socket_options: db_maybe_ipv6, socket_options: db_maybe_ipv6
ssl_opts: [
cacertfile: db_cacertfile, if db_cacertfile do
verify: :verify_peer, config :plausible, Plausible.Repo, ssl: [cacertfile: db_cacertfile]
customize_hostname_check: [ end
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
]
]
end end
sentry_app_version = runtime_metadata[:version] || app_version sentry_app_version = runtime_metadata[:version] || app_version

View File

@ -359,14 +359,7 @@ defmodule Plausible.ConfigTest do
assert get_in(config, [:plausible, Plausible.Repo]) == [ assert get_in(config, [:plausible, Plausible.Repo]) == [
url: "postgres://postgres:postgres@plausible_db:5432/plausible_db", url: "postgres://postgres:postgres@plausible_db:5432/plausible_db",
socket_options: [], socket_options: []
ssl_opts: [
cacertfile: CAStore.file_path(),
verify: :verify_peer,
customize_hostname_check: [
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
]
]
] ]
end end
@ -405,17 +398,27 @@ defmodule Plausible.ConfigTest do
config = runtime_config(env) config = runtime_config(env)
assert get_in(config, [:plausible, Plausible.Repo]) == [
url:
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb",
socket_options: []
]
end
test "DATABASE_CACERTFILE enables SSL" do
env = [
{"DATABASE_URL",
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb"},
{"DATABASE_CACERTFILE", "/path/to/cacert.pem"}
]
config = runtime_config(env)
assert get_in(config, [:plausible, Plausible.Repo]) == [ assert get_in(config, [:plausible, Plausible.Repo]) == [
url: url:
"postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb", "postgresql://your_username:your_password@cluster-do-user-1234567-0.db.ondigitalocean.com:25060/defaultdb",
socket_options: [], socket_options: [],
ssl_opts: [ ssl: [cacertfile: "/path/to/cacert.pem"]
cacertfile: CAStore.file_path(),
verify: :verify_peer,
customize_hostname_check: [
match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
]
]
] ]
end end
end end