Merge pull request #444 from gunanr/postgres-ssl-verify-toggle

POSTGRES_SSL_ENABLED and POSTGRES_SSL_REJECT_UNAUTHORIZED environment variable support
2026-01-18 16:27:20 +01:00 · 2025-09-24 18:38:10 +02:00
parent e940ffec97 5b293d55bf
commit e978a2d3ac
5 changed files with 21 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -30,6 +30,8 @@
 | POSTGRES_PASSWORD `REQUIRED`        | `null`   | `postgres`                      | Password that will be used in postgres database                                                                                          |
 | POSTGRES_IP `REQUIRED`              | `null`   | `jellystat-db` or `192.168.0.5` | Hostname/IP of postgres instance                                                                                                         |
 | POSTGRES_PORT `REQUIRED`            | `null`   | `5432`                          | Port Postgres is running on                                                                                                              |
+| POSTGRES_SSL_ENABLED                | `null`   | `true`                          | Enable SSL connections to Postgres
+| POSTGRES_SSL_REJECT_UNAUTHORIZED    | `null`   | `false`                         | Verify Postgres SSL certificates when POSTGRES_SSL_ENABLED=true
 | JS_LISTEN_IP                        | `0.0.0.0`| `0.0.0.0` or `::`               | Enable listening on specific IP or `::` for IPv6 |
 | JWT_SECRET `REQUIRED`               | `null`   | `my-secret-jwt-key`             | JWT Key to be used to encrypt JWT tokens for authentication                                                                              |
 | TZ `REQUIRED`                       | `null`   | `Etc/UTC`                       | Server timezone (Can be found at https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List)                                      |
--- a/backend/create_database.js
+++ b/backend/create_database.js
@@ -5,12 +5,16 @@ const _POSTGRES_PASSWORD = process.env.POSTGRES_PASSWORD;
 const _POSTGRES_IP = process.env.POSTGRES_IP;
 const _POSTGRES_PORT = process.env.POSTGRES_PORT;
 const _POSTGRES_DATABASE = process.env.POSTGRES_DB || 'jfstat';
+const _POSTGRES_SSL_REJECT_UNAUTHORIZED = process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true";

 const client = new Client({
  host: _POSTGRES_IP,
  user: _POSTGRES_USER,
  password: _POSTGRES_PASSWORD,
  port: _POSTGRES_PORT,
+  ...(process.env.POSTGRES_SSL_ENABLED === "true"
+    ? { ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } }
+    : {})
 });

 const createDatabase = async () => {
--- a/backend/db.js
+++ b/backend/db.js
@@ -7,6 +7,7 @@ const _POSTGRES_PASSWORD = process.env.POSTGRES_PASSWORD;
 const _POSTGRES_IP = process.env.POSTGRES_IP;
 const _POSTGRES_PORT = process.env.POSTGRES_PORT;
 const _POSTGRES_DATABASE = process.env.POSTGRES_DB || "jfstat";
+const _POSTGRES_SSL_REJECT_UNAUTHORIZED = process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true";

 if ([_POSTGRES_USER, _POSTGRES_PASSWORD, _POSTGRES_IP, _POSTGRES_PORT].includes(undefined)) {
  console.log("Error: Postgres details not defined");
@@ -22,6 +23,9 @@ const pool = new Pool({
  max: 20, // Maximum number of connections in the pool
  idleTimeoutMillis: 30000, // Close idle clients after 30 seconds
  connectionTimeoutMillis: 2000, // Return an error after 2 seconds if connection could not be established
+  ...(process.env.POSTGRES_SSL_ENABLED === "true"
+    ? { ssl: { rejectUnauthorized: _POSTGRES_SSL_REJECT_UNAUTHORIZED } }
+    : {})
 });

 pool.on("error", (err, client) => {
--- a/backend/migrations.js
+++ b/backend/migrations.js
@@ -12,6 +12,9 @@ module.exports = {
        port:process.env.POSTGRES_PORT,
        database: process.env.POSTGRES_DB || 'jfstat',
        createDatabase: true,
+        ...(process.env.POSTGRES_SSL_ENABLED === "true"
+          ? { ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } }
+          : {})
      },
      migrations: {
        directory: __dirname + '/migrations',
@@ -39,6 +42,9 @@ module.exports = {
        port:process.env.POSTGRES_PORT,
        database: process.env.POSTGRES_DB || 'jfstat',
        createDatabase: true,
+        ...(process.env.POSTGRES_SSL_ENABLED === "true"
+          ? { ssl: { rejectUnauthorized: process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true" } }
+          : {})
      },
      migrations: {
        directory: __dirname + '/migrations',
--- a/backend/routes/backup.js
+++ b/backend/routes/backup.js
@@ -23,6 +23,8 @@ const postgresPassword = process.env.POSTGRES_PASSWORD;
 const postgresIp = process.env.POSTGRES_IP;
 const postgresPort = process.env.POSTGRES_PORT;
 const postgresDatabase = process.env.POSTGRES_DB || "jfstat";
+const postgresSslRejectUnauthorized = process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === undefined ? true : process.env.POSTGRES_SSL_REJECT_UNAUTHORIZED === "true";
+
 const backupfolder = "backup-data";

 // Restore function
@@ -52,6 +54,9 @@ async function restore(file, refLog) {
    host: postgresIp,
    port: postgresPort,
    database: postgresDatabase,
+    ...(process.env.POSTGRES_SSL_ENABLED === "true"
+      ? { ssl: { rejectUnauthorized: postgresSslRejectUnauthorized } }
+      : {}),
  });

  const backupPath = file;