From 59bad37c9ac5d43ec2ac12aa56a7319cfc9207b2 Mon Sep 17 00:00:00 2001 From: Gregesp <96314812+Gregesp@users.noreply.github.com> Date: Wed, 7 Feb 2024 15:15:37 +0100 Subject: [PATCH] Add exemple and clarification about encryption with data source (#6808) * Integrate SSL section to the differents data source Split SSL section to the different data source * Add encryption section for the different datasource Add encryption section for the different datasource * Remove ampersand for all possible value Remove ampersand for all possible value for the encryption with MySQL data source * Fix bad syntax Fix bad syntax * Application of the recommendations as suggested by @cwarnermm and @coltoneshaw Application of the recommendations as suggested by @cwarnermm and @coltoneshaw --- .../database-configuration-settings.rst | 85 +++++++++++++++++-- 1 file changed, 76 insertions(+), 9 deletions(-) diff --git a/source/configure/database-configuration-settings.rst b/source/configure/database-configuration-settings.rst index cef7a36313f..2a48cb3c632 100644 --- a/source/configure/database-configuration-settings.rst +++ b/source/configure/database-configuration-settings.rst @@ -43,15 +43,45 @@ Data source | String input. | - Environment variable: ``MM_SQLSETTINGS_DATASOURCE`` | | | | +---------------------------------------------------------------+--------------------------------------------------------------------------+ -| To enable SSL: | -| | -| - Add ``&tls=true`` to your database connection string if your SQL driver supports it. | -| - Add ``&tls=skip-verify`` if you use self-signed certificates. | -+---------------------------------------------------------------+--------------------------------------------------------------------------+ | **PostgreSQL databases** | | | | When **Driver Name** is set to ``postgres``, use a connection string in the form of: | -| ``postgres://mmuser:password@localhost:5432/mattermost_test?sslmode=disable&connect_timeout=10.`` | +| ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test?sslmode=disable&connect_timeout=10`` | +| | +| **To use TLS with PostgreSQL databases**: | +| | +| The parameter to encrypt connection against a PostgreSQL server is ``sslmode``. The library used to interact with PostgreSQL server is | +| `pq `__. For the moment, it's not possible to use all the values that you could pass to a standard | +| PostgreSQL Client ``psql "sslmode=value"`` `See (SSL Mode Descriptions) `__. | +| | +| Your database administrator must configure the functionality according possible values describe below : | +| | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | Short description of the ``sslmode`` | Value | Example of a data source name | | +| | parameter | | | | +| +========================================+=================+===========================================================================+ | +| | Don't use TLS / SSL encryption against | ``disable`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | | +| | | | ?sslmode=disable&connect_timeout=10`` | | +| | PostgreSQL server. | | | | +| | | | | | +| | (Default value in file ``config.json``)| | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | The data is encrypted and the network | ``require`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | | +| | | | ?sslmode=require&connect_timeout=10`` | | +| | is trusted. | | | | +| | | | | | +| | (Default ``sslmode`` | | | | +| | if the value is omitted) | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | The data is encrypted when connecting | ``verify-ca`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | | +| | | | ?sslmode=verify-ca&connect_timeout=10`` | | +| | to a trusted server. | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | The data is encrypted when connecting | ``verify-full`` | ``postgres://mmuser:password@hostname_or_IP:5432/mattermost_test | | +| | | | ?sslmode=verify-full&connect_timeout=10`` | | +| | to the trusted server. | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | +---------------------------------------------------------------+--------------------------------------------------------------------------+ | **MySQL databases** | | | @@ -63,7 +93,7 @@ Data source | | | "SqlSettings": { | | "DataSource": | -| "@/mattermost?charset=utf8mb4,utf8&collation=utf8mb4_general_ci", | +| "@tcp(hostname or IP:3306)/mattermost?charset=utf8mb4,utf8&collation=utf8mb4_general_ci", | | [...] | | } | | | @@ -72,12 +102,49 @@ Data source | .. code-block:: none | | | | "SqlSettings": { | -| "DataSource": "@/mattermost?charset=utf8mb4,utf8", | +| "DataSource": "@tcp(hostname or IP:3306)/mattermost?charset=utf8mb4,utf8", | | [...] | | } | | | | **Note**: If you’re using MySQL 8.0 or later, the default collation has changed to ``utf8mb4_0900_ai_ci``. See our `Database Software | | Requirements `__ documentation for details on MySQL 8.0 support. | +| | +| **To use TLS with MySQL databases**: | +| | +| The parameter to encrypt connection against a MySQL server is ``tls``. | +| The library used to interact with MySQL is `Go-MySQL-Driver `__. | +| For the moment, it's not possible to use all the values that you could pass to a standard MySQL Client ``mysql --ssl-mode=value``. | +| `See Connection-Encryption Option Summary `__ | +| for a version 8.0 | +| `See Connection-Encryption Option Summary `__ | +| or for a version 5.7. | +| | +| Your database administrator must configure the functionality according possible values describe below : | +| | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | Short description of the ``tls`` | Value | Example of a data source name | | +| | parameter | | | | +| +========================================+=================+===========================================================================+ | +| | Don't use TLS / SSL encryption against | ``false`` | ``"@tcp(hostname or IP:3306)/mattermost_test | | +| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=false"`` | | +| | MySQL server. | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | Use TLS / SSL encryption against | ``true`` | ``"@tcp(hostname or IP:3306)/mattermost_test | | +| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=true"`` | | +| | MySQL server. | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | Use TLS / SSL encryption with a self- | ``skip-verify`` | ``"@tcp(hostname or IP:3306)/mattermost_test | | +| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=skip-verify"`` | | +| | signed certificate against | | | | +| | MySQL server. | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | Use TLS / SSL encryption if server | ``preferred`` | ``"@tcp(hostname or IP:3306)/mattermost_test | | +| | | | ?charset=utf8mb4,utf8&writeTimeout=30s&tls=preferred"`` | | +| | advertises a possible fallback | | | | +| | | | | | +| | unencrypted if it's not advertised. | | | | +| +----------------------------------------+-----------------+---------------------------------------------------------------------------+ | +| | +---------------------------------------------------------------+--------------------------------------------------------------------------+ .. config:setting:: database-maxidleconnections @@ -516,4 +583,4 @@ Replica monitor interval (seconds) | dynamically choose a replica if it's alive. | - Environment variable: ``MM_SQLSETTINGS_REPLICAMONITORINTERVALSECONDS`` | | | | | Numerical input. Default is 5 seconds. | | -+--------------------------------------------------------+---------------------------------------------------------------------------------+ \ No newline at end of file ++--------------------------------------------------------+---------------------------------------------------------------------------------+