Learning as I go here, and grateful for any advice and clarification:
I have an Fly app running a newsletter service, connected to a Fly postgres app. I’d like secure traffic to and from postgres.
Fly app to/from postgres app:
The newsletter service (listmonk) includes an SSL mode for securing traffic between the app and the postgres database. Enabling this requires setting up an nginx reverse proxy.
However, Fly’s private networking should eliminate the need for setting up SSL for app-to-database traffic, correct?
External traffic to/from postgres app:
The only external interaction with the postgres database is when I’m managing it in a terminal (psql, pg_dump, etc), and I’m doing that only through fly proxy and fly postgres connect.
Are the postgres data and postgres password sent and received securely when running psql commands through fly proxy? Or would it be ideal to set up an nginx reverse proxy to handle SSL for these intermittent interactions?
Since SSL is not supported with Fly Postgres, it would be helpful to have ?sslmode=disable appended to the DATABASE_URL. This would resolve default connection failures that make the service feel broken.
Hey @paulrudy! Thank you for the steps. I don’t see anything in the docs for the fly postgres create command that would force the encryption on. Without it, I assume it’ll default to unencrypted still? Are you able to share how you did it?
The command is actually the other way around: fly postgres create and fly volumes create default to creating encrypted volumes unless the --no-encryption flag is used. In the docs:
Volumes are, by default, created with encryption-at-rest enabled for additional protection of the data on the volume. Use --no-encryption to instead create an unencrypted volume for improved performance at deployment and runtime.
But as @shugel said, it looks like the fly launch creates encrypted Postgres volumes by default now, so the steps I outlined are only needed if you started with an unencrypted Postgres volume.