After the recent release of MongoDB TLS connectivity, we are happy to announce that TLS encryption is now generally available for all kinds of database. Let’s see how to leverage such a security feature.
Since the beginning of Scalingo, we were protecting your Scalingo databases from the evil Internet by hiding them inside our secure network. To access them, an SSL tunnel had to be setup with our command line client. From today, all Scalingo databases are shipped with TLS enabled by default. You can then choose to expose them on the internet (only if you choose the “Force TLS” option).
Note that Redis does not support yet TLS communications. If you are a Redis user, unfortunately nothing changes for you today, you still have to access your database through the SSH tunnel.
What is TLS?
Transport Layer Security (TLS) is a cryptographic protocol that provides security for communications over networks. It is also known as Secure Sockets Layer (SSL), its predecessor name.
When secured by TLS, a communication between a client and a server can have one or more of these three properties:
- The communication is private (i.e. nobody can spy the content of your communication).
- Your communication’s integrity is guaranteed (i.e. nobody can modify the content of your communication without you knowing it).
- The identities of both parties (client and server) can be authenticated
TLS for all your databases
TLS activation is a feature that has been integrated into our Docker base images. It’s available for all newly provisionned databases. For existing databases you will have to upgrade to a more recent image version (take a look at your database dashboard).
Because MongoDB, PostgreSQL and MySQL accept TLS and non TLS connections on the same port you can still access these databases with or without TLS. You can then choose later to “force TLS” to avoid unencrypted connections from reaching your database.
However for InfluxDB and Elasticsearch the situation is a bit different. They can use HTTP or HTTPS but not both on the same port. Therefore to get TLS connections you will have to explicitly enable the “force TLS” option in your database dashboard. Uncrypted connections won’t be available any more from there.
In order for an application to communicate securely with your database, you should read your database driver documentation. If you want to connect to your database from your work station using the CLI, here are some examples:
> psql "<connection string>?sslmode=require" > mongo --ssl --sslAllowInvalidCertificates <connection string> > mysql --ssl-mode=REQUIRED -u <username> -p <password> -h <hostname> -P <port> <DB name> > influx -ssl -unsafeSsl -username <username> -password <password> -host <hostname> -port <port> -database <DB name> # For Elasticsearch > curl --insecure "https://<username>:<password>@<hostname>:<port>"
Using the CA certificate
Our databases certificates are self-signed. If you want the certificate to be trustable, you need to get our Certification Authority certificate and specify it when connecting to your database.
The certificate of our certification authority is available on the image of
your application at
/usr/share/ca-certificates/Scalingo/scalingo-database.pem. You can also
download it from the database dashboard.
After downloading it, you can specify its path to your database CLI. With PostgreSQL it would look like:
pgsql --ssl --sslCAFile=./ca.pem "<connection string>"
Databases available from anywhere
From the beginning of Scalingo history, we wanted to protect the communication between your computer and the database from prying eyes. By default access to most databases are unencrypted, so insecure. Since we don’t want unencrypted network traffic from/to your databases, the DB tunnel provides an encrypted way to access them.
Now that we turned on TLS in all your databases, the traffic between your computer and your database at Scalingo’s facilities can safely flow without the tunnel.
You’re being given the possibility to open your database to be publicly reachable from the world wild Internet. Just head to your database dashboard and click on the toggle button to make it accessible from internet.