There’s a new handler available for exposing your PostgreSQL instance over the proxy in a secure manner: pg_tls.
How to use?
First, get your current config if you don’t already have it
fly config save -a <your-pg-fly-app-name>
Then, modify your fly.toml, adding this service:
[[services]]
internal_port = 5432
protocol = "tcp"
[[services.ports]]
handlers = ["pg_tls"]
port = 5432
Figure out which image and tag (postgres version) you’re on:
$ fly image show -a <your-pg-fly-app-name>
Image Details
Registry = registry-1.docker.io
Repository = flyio/postgres
Tag = 13.6
Version = v0.0.32
Finally, deploy your cluster (using --image with the image:tag found in the previous step):
fly deploy --image flyio/postgres:13.6
You should then be able to access your PG cluster via psql like:
$ psql "sslmode=require host=<your-pg-fly-app-name>.fly.dev dbname=<db name> user=<username>"
Password for user <username>:
psql (14.5 (Homebrew), server 13.6 (Debian 13.6-1.pgdg110+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
<db name>=#
Note: this only works for sslmode=require or sslmode=prefer, any other options will close the connection.
Edit: sslmode=disable is now supported. A setting could be provided to only allow SSL I imagine. If anybody has that need, let us know.