问题
Is there a way for the pg-gem to use sslmode = verify-full for it's postgres connection? Would that be as simple as just passing that string in? I have a Rails app that I want to do full ca protected ssl connections on to an external db and I don't really know how to setup the ca part of that. Using require on sslmode defaults it to use ssl traffic but I don't know where (or under what user, etc.) I should be placing my certificates to do verification. Should I just place them under ~/.postgresql/ like in the normal psql client workflow for verified ssl certs with the names root.crt and postgresql.cert and postgresql.key?
I'm using Postgres 9.1 if that helps at all.
EDIT FOR THOSE WHO COME LATER:
The following database.yml file seems to work as a test on my dev machine. I'll be writing a blog post on this issue for sure since it was such a PITA to figure out what was going wrong.
host: 127.0.0.1
sslcert: <%= Rails.root.join('config', 'client.crt') %>
sslkey: <%= Rails.root.join('config', 'client.key') %>
sslrootcert: <%= Rails.root.join('config', 'root.crt') %>
sslmode: verify-full
database: pg-test_development
username: postgres
password:
回答1:
The Pg gem uses libpq internally, the same client library as the PostgreSQL tools like psql.
By default libpq looks in ~/.postgresql/ for the CA certificate.
From the manual:
To allow server certificate verification, the certificate(s) of one or more trusted CAs must be placed in the file
~/.postgresql/root.crtin the user's home directory. (On Microsoft Windows the file is named%APPDATA%\postgresql\root.crt.)
... and ...
The location of the root certificate file and the CRL can be changed by setting the connection parameters
sslrootcertandsslcrl[...]
AFAIK Rails passes anything you put in your database.yml to the Pg gem, which passes it to libpq as a connection parameter. So you should be able to add key/value entries to your database.yml stanzas like:
sslmode: verify-full
# and if you don't want to use ~/.postgresq/root.crt for the cert location, set:
sslrootcert: /path/to/my/app/root/cert.crt
IMO the requirement to pass a single root cert to libpq is a design flaw. It should load a trusted certificate database. Similar issues exist for use of SSL client certificates, where you can't supply a keystore and cert store, you must pass specific files for a given host. It sounds like that's probably OK for you since you know the upstream certificate signing authority.
来源:https://stackoverflow.com/questions/31355047/pg-gem-sslmode-verify-full-where-to-place-certificates