You're already setting up your own CA to sign your server certificate. The simplest way to do this is with client certificates. How to Make it Safe Againīut exposing services directly through TLS is actually done in high-security environments with one additional caveat: you have to authenticate the user BEFORE exposing them to the backend server. If postgres is compromised or flawed in some way, you're still reasonably safe if your VPN holds.īut if you expose your database to the Internet through a standard TLS connection, then anyone can attack it directly, exploiting any potential flaws in the native protocol or authentication, or consuming resources in a denial-of-service attack. The VPN authentication serves as a second barrier to attackers in addition to your database's built-in auth.
The other problem is that you may not want to expose your database to the public.
But that's not the only reason people put services like Postgres behind a VPN. Why NotĪs far as authenticity and confidentiality is concerned, a TLS connection is perfectly adequate.
and possibly yes again, if you take additional precautions.
0 kommentar(er)
