feat: local CA and forced ssl verification

eyra · Dec 27, 2024 · 0c5878a · 0c5878a
1 parent 08eb78c
commit 0c5878a
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 0 deletions.
diff --git a/core/config/dev.exs b/core/config/dev.exs
@@ -18,11 +18,25 @@ config :bcrypt_elixir, :log_rounds, 1
 config :logger, level: :debug
 
 # Configure your database
+cacertfile = System.get_env("DB_CA_PATH")
+
+verify_mode =
+  case System.get_env("DB_TLS_VERIFY") do
+    "verify_peer" -> :verify_peer
+    "verify_none" -> :verify_none
+    _ -> :verify_peer
+  end
+
 config :core, Core.Repo,
   username: "postgres",
   password: "postgres",
   database: "next_dev",
   hostname: "db",
+  ssl: [
+    cacertfile: cacertfile,
+    verify: :verify_peer,
+    server_name_indication: to_charlist("db")
+  ],
   show_sensitive_data_on_connection_error: true,
   pool_size: 10
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,5 +1,9 @@
 services:
   app:
+    container_name: app
+    environment:
+      - DB_CA_PATH=/app/postgres_ssl/ca.crt
+      - DB_TLS_VERIFY=verify_peer
     build:
       dockerfile: Dockerfile
       context: .
@@ -11,6 +15,7 @@ services:
       - next
 
   db:
+    container_name: db
     image: postgres:12
     ports:
       - 5432:5432
@@ -19,6 +24,12 @@ services:
       POSTGRES_USER: postgres
       POSTGRES_PASSWORD: postgres
       POSTGRES_DB: next_dev
+    volumes:
+      - ./postgres_ssl:/var/lib/postgresql/ssl
+    command: >
+      postgres  -c ssl=on
+                -c ssl_cert_file=/var/lib/postgresql/ssl/server.crt
+                -c ssl_key_file=/var/lib/postgresql/ssl/server.key
     networks:
       - next
 

diff --git a/postgres_ssl/.gitignore b/postgres_ssl/.gitignore
@@ -0,0 +1,2 @@
+*.crt
+*.key
diff --git a/postgres_ssl/generate.sh b/postgres_ssl/generate.sh
@@ -0,0 +1,17 @@
+OUTPUT=${CERTS_OUTPUT_DIR:-.}
+mkdir -p $OUTPUT
+
+openssl req -x509 -new -nodes -days 3650 -keyout "$OUTPUT/ca.key" -out "$OUTPUT/ca.crt" -subj "/CN=example-ca"
+
+openssl req -new -nodes -newkey rsa:2048 -keyout "$OUTPUT/server.key" -out "$OUTPUT/server.csr" -subj "/CN=db"
+
+openssl x509 -req -in "$OUTPUT/server.csr" -CA "$OUTPUT/ca.crt" -CAkey "$OUTPUT/ca.key" -CAcreateserial -out "$OUTPUT/server.crt" -days 3650
+
+openssl req -new -key "$OUTPUT/server.key" -out "$OUTPUT/server.csr" -config san_config.cnf
+
+openssl x509 -req -in "$OUTPUT/server.csr" -CA "$OUTPUT/ca.crt" -CAkey "$OUTPUT/ca.key" -CAcreateserial -out "$OUTPUT/server.crt" -days 3650 -extfile san_config.cnf -extensions v3_req
+
+rm -f "$OUTPUT/server.csr"
+
+chmod 600 "$OUTPUT/ca.key" "$OUTPUT/server.key"
+chmod 644 "$OUTPUT/ca.crt" "$OUTPUT/server.crt"
diff --git a/postgres_ssl/san_config.cnf b/postgres_ssl/san_config.cnf
@@ -0,0 +1,22 @@
+[req]
+prompt = no
+default_bits = 2048
+default_md = sha256
+distinguished_name = dn
+req_extensions = req_ext
+
+[dn]
+CN = db
+
+[req_ext]
+subjectAltName = @alt_names
+
+[v3_req]
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+basicConstraints = CA:FALSE
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = db
+DNS.2 = localhost