Enable SSL connection

9.1/Dockerfile

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

9.1/docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \

9.2/Dockerfile

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

9.2/docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \

9.3/Dockerfile

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

9.3/docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \

9.4/Dockerfile

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

9.4/docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \

9.5/Dockerfile

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

9.5/docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \

9.6/Dockerfile

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

9.6/docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \

Dockerfile.template

@@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/*
 	&& localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
 ENV LANG en_US.utf8
 
+# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem
+RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/*
+
 RUN mkdir /docker-entrypoint-initdb.d
 
 RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8

docker-entrypoint.sh

@@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then
 			authMethod=trust
 		fi
 
-		{ echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
+		hostMethod=host
+		if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then
+			if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then
+				cat >&2 <<-'EOWARN'
+					****************************************************
+					WARNING: Using an auto-generated certificate for SSL.
+					         Please consider using your own certificate
+					         in production environments.
+
+					         Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt"
+					         and "-v /my/cert.key:/etc/ssl/private/postgresql.key"
+					         to mount your own certificate as a volume.
+					****************************************************
+				EOWARN
+				DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite
+				cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt
+				cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key
+			fi
+
+			cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt"
+			cp /etc/ssl/private/postgresql.key "$PGDATA/server.key"
+			chown postgres "$PGDATA/server.crt"
+			chown postgres "$PGDATA/server.key"
+			chmod og-rwx "$PGDATA/server.key"
+
+			sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf"
+			hostMethod=hostssl
+		fi
+
+		{ echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf"
 
-		# internal start of server in order to allow set-up using psql-client		
+		# internal start of server in order to allow set-up using psql-client
 		# does not listen on external TCP/IP and waits until start finishes
 		gosu postgres pg_ctl -D "$PGDATA" \
 			-o "-c listen_addresses='localhost'" \