There’s a new handler available for exposing your PostgreSQL instance over the proxy in a secure manner:
How to use?
First, get your current config if you don’t already have it
fly config save -a <your-pg-fly-app-name>
Then, modify your
fly.toml, adding this service:
[[services]] internal_port = 5432 protocol = "tcp" [[services.ports]] handlers = ["pg_tls"] port = 5432
Figure out which image and tag (postgres version) you’re on:
$ fly image show -a <your-pg-fly-app-name> Image Details Registry = registry-1.docker.io Repository = flyio/postgres Tag = 13.6 Version = v0.0.32
Finally, deploy your cluster (using
--image with the
image:tag found in the previous step):
fly deploy --image flyio/postgres:13.6
You should then be able to access your PG cluster via
$ psql "sslmode=require host=<your-pg-fly-app-name>.fly.dev dbname=<db name> user=<username>" Password for user <username>: psql (14.5 (Homebrew), server 13.6 (Debian 13.6-1.pgdg110+1)) SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off) Type "help" for help. <db name>=#
Note: this only works for
sslmode=prefer, any other options will close the connection.
sslmode=disable is now supported. A setting could be provided to only allow SSL I imagine. If anybody has that need, let us know.