immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 13 Packages Projects Releases 10 Wiki Activity

[Feature]: TLS encrypted database connections #394

New Issue
Closed
opened 2026-02-04 20:15:14 +03:00 by OVERLORD · 6 comments
OVERLORD commented 2026-02-04 20:15:14 +03:00
Owner
Copy Link

Originally created by @jcollie on GitHub (Oct 31, 2022).

Feature detail

The current server code does not allow encrypted database connections to be configured. Managed PostgreSQL databases like Digital Ocean's require TLS encryption to connect.

Oct 30 15:46:19 cloud01 immich-server[56575]: [Nest] 2  - 10/30/2022, 8:46:19 PM   ERROR [TypeOrmModule] Unable to connect to the database. Retrying (3)...
Oct 30 15:46:19 cloud01 immich-server[56575]: error: no pg_hba.conf entry for host "X.X.X.X", user "immich", database "immich", no encryption
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Parser.parseErrorMessage (/usr/src/app/node_modules/pg-protocol/dist/parser.js:287:98)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Parser.handlePacket (/usr/src/app/node_modules/pg-protocol/dist/parser.js:126:29)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Parser.parse (/usr/src/app/node_modules/pg-protocol/dist/parser.js:39:38)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Socket.<anonymous> (/usr/src/app/node_modules/pg-protocol/dist/index.js:11:42)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Socket.emit (node:events:527:28)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at addChunk (node:internal/streams/readable:315:12)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at readableAddChunk (node:internal/streams/readable:289:9)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at Socket.Readable.push (node:internal/streams/readable:228:10)
Oct 30 15:46:19 cloud01 immich-server[56575]:     at TCP.onStreamRead (node:internal/stream_base_commons:190:23)

Platform

Server

Originally created by @jcollie on GitHub (Oct 31, 2022). ### Feature detail The current server code does not allow encrypted database connections to be configured. Managed PostgreSQL databases like Digital Ocean's require TLS encryption to connect. ``` Oct 30 15:46:19 cloud01 immich-server[56575]: [Nest] 2 - 10/30/2022, 8:46:19 PM ERROR [TypeOrmModule] Unable to connect to the database. Retrying (3)... Oct 30 15:46:19 cloud01 immich-server[56575]: error: no pg_hba.conf entry for host "X.X.X.X", user "immich", database "immich", no encryption Oct 30 15:46:19 cloud01 immich-server[56575]: at Parser.parseErrorMessage (/usr/src/app/node_modules/pg-protocol/dist/parser.js:287:98) Oct 30 15:46:19 cloud01 immich-server[56575]: at Parser.handlePacket (/usr/src/app/node_modules/pg-protocol/dist/parser.js:126:29) Oct 30 15:46:19 cloud01 immich-server[56575]: at Parser.parse (/usr/src/app/node_modules/pg-protocol/dist/parser.js:39:38) Oct 30 15:46:19 cloud01 immich-server[56575]: at Socket.<anonymous> (/usr/src/app/node_modules/pg-protocol/dist/index.js:11:42) Oct 30 15:46:19 cloud01 immich-server[56575]: at Socket.emit (node:events:527:28) Oct 30 15:46:19 cloud01 immich-server[56575]: at addChunk (node:internal/streams/readable:315:12) Oct 30 15:46:19 cloud01 immich-server[56575]: at readableAddChunk (node:internal/streams/readable:289:9) Oct 30 15:46:19 cloud01 immich-server[56575]: at Socket.Readable.push (node:internal/streams/readable:228:10) Oct 30 15:46:19 cloud01 immich-server[56575]: at TCP.onStreamRead (node:internal/stream_base_commons:190:23) ``` ### Platform Server
OVERLORD added the good first issue label 2026-02-04 20:15:14 +03:00
OVERLORD commented 2026-02-04 20:15:30 +03:00
Author
Owner
Copy Link

@bo0tzz commented on GitHub (Oct 31, 2022):

Creating an environment variable to set the postgres URL parameter should allow setting this (and more) without specific support on our part. The details of the connection URL format can be seen here. In TypeORM, the options we're currently using (host, username, etc) will override what is set in the URL. We need to test whether leaving those options blank is sufficient.

@bo0tzz commented on GitHub (Oct 31, 2022): Creating an environment variable to set the postgres URL parameter should allow setting this (and more) without specific support on our part. The details of the connection URL format can be seen [here](https://github.com/brianc/node-postgres/tree/master/packages/pg-connection-string#connection-strings). In TypeORM, the options we're currently using (`host`, `username`, etc) will override what is set in the URL. We need to test whether leaving those options blank is sufficient.
OVERLORD commented 2026-02-04 20:15:48 +03:00
Author
Owner
Copy Link

@jrasm91 commented on GitHub (Nov 1, 2022):

Although, we might also need a way to provide the CA certificate (see here).

@jrasm91 commented on GitHub (Nov 1, 2022): Although, we might also need a way to provide the CA certificate ([see here]( https://stackoverflow.com/a/56677139/2833217)).
OVERLORD commented 2026-02-04 20:16:02 +03:00
Author
Owner
Copy Link

@bo0tzz commented on GitHub (Nov 2, 2022):

Based on the link I included above, I believe the URL parser should take paths for the TLS parameters and read those to the appropriate values for us.

@bo0tzz commented on GitHub (Nov 2, 2022): Based on the link I included above, I believe the URL parser should take paths for the TLS parameters and read those to the appropriate values for us.
OVERLORD commented 2026-02-04 20:16:06 +03:00
Author
Owner
Copy Link

@jrasm91 commented on GitHub (Nov 2, 2022):

Based on the link I included above, I believe the URL parser should take paths for the TLS parameters and read those to the appropriate values for us.

Oh, you're right. I didn't see/know the path was being included in the url, but that would definitely work.

@jrasm91 commented on GitHub (Nov 2, 2022): > Based on the link I included above, I believe the URL parser should take paths for the TLS parameters and read those to the appropriate values for us. Oh, you're right. I didn't see/know the path was being included in the url, but that would definitely work.
OVERLORD commented 2026-02-04 20:16:11 +03:00
Author
Owner
Copy Link

@bt90 commented on GitHub (Dec 30, 2022):

It should be enough to pass sslmode=prefer in the connection URL.

@bt90 commented on GitHub (Dec 30, 2022): It should be enough to pass `sslmode=prefer` in the connection URL.
OVERLORD commented 2026-02-04 20:16:14 +03:00
Author
Owner
Copy Link

@bt90 commented on GitHub (Dec 30, 2022):

https://github.com/brianc/node-postgres/issues/2009

This should be enough to allow SSL connections without requiring a CA certificate:

  ssl: {
    require: true,
    rejectUnauthorized: false
  }
@bt90 commented on GitHub (Dec 30, 2022): https://github.com/brianc/node-postgres/issues/2009 This should be enough to allow SSL connections without requiring a CA certificate: ``` ssl: { require: true, rejectUnauthorized: false } ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label good first issue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#394
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?