You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs.logflare.com/docs/self-hosting/index.md
+41Lines changed: 41 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,6 +31,7 @@ All browser authentication will be disabled when in single-tenant mode.
31
31
|`PHX_HTTP_IP`| String, defaults to `nil`| Allows configuration of the HTTP server IP to bind to. Specifying an IPv6 like `::` will enable IPv6. |
32
32
|`PHX_HTTP_PORT`| Integer, defaults to `4000`| Allows configuration of the HTTP server port. |
33
33
|`DB_SCHEMA`| String, defaults to `nil`| Allows configuration of the database schema to scope Logflare operations. |
34
+
|`DB_SSL`| Boolean, defaults to `false`| Enables SSL/TLS connection to the internal Logflare database. Requires certificate files when enabled. See [Database SSL Configuration](#database-ssl-configuration). |
34
35
|`LOGFLARE_LOG_LEVEL`| String, defaults to `info`. <br/>Options: `error`,`warning`, `info`| Allows runtime configuration of log level. |
35
36
|`LOGFLARE_NODE_HOST`| string, defaults to `127.0.0.1`| Sets node host on startup, which affects the node name `logflare@<host>`|
36
37
|`LOGFLARE_METADATA_CLUSTER`| string, defaults to `nil`| Sets global logging/tracing metadata for the cluster name and affects the release node name (e.g., `logflare-production@<host>`). Useful for filtering logs by cluster name and distinguishing nodes in multi-cluster setups. See the [metadata](#Metadata) section. |
@@ -117,6 +118,32 @@ Without these two additional permissions, the managed service accounts feature w
117
118
|`POSTGRES_BACKEND_URL`| string, required | PostgreSQL connection string, for connecting to the database. User must have sufficient permssions to manage the schema. |
118
119
|`POSTGRES_BACKEND_SCHEMA`| string, optional, defaults to `public`| Specifies the database schema to scope all operations. |
119
120
121
+
## Database SSL Configuration
122
+
123
+
Logflare supports secure SSL/TLS connections to its internal database (not the PostgreSQL backend). This is configured using the `DB_SSL` environment variable and certificate files.
124
+
125
+
### Requirements
126
+
127
+
To enable SSL for the internal Logflare database:
128
+
129
+
1. Set `DB_SSL=true` environment variable
130
+
2. Provide three certificate files in the working directory on server startup:
131
+
-`db-server-ca.pem` - Server CA certificate
132
+
-`db-client-cert.pem` - Client certificate
133
+
-`db-client-key.pem` - Client private key
134
+
135
+
All three files must be present for SSL to be enabled.
-**Wildcard support**: Enabled via `public_key.pkix_verify_hostname_match_fun(:https)`
144
+
145
+
The configuration follows the [Erlang Security Working Group recommendations](https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/ssl).
146
+
120
147
## Database Encryption
121
148
122
149
Certain database columns that store sensitive data are encrypted with the `LOGFLARE_DB_ENCRYPTION_KEY` key.
@@ -206,6 +233,7 @@ services:
206
233
- DB_PORT=5432
207
234
- DB_PASSWORD=postgres
208
235
- DB_USERNAME=postgres
236
+
- DB_SSL=true # Optional: enable SSL for internal database
209
237
- LOGFLARE_SINGLE_TENANT=true
210
238
- LOGFLARE_API_KEY=my-cool-api-key
211
239
@@ -226,6 +254,19 @@ services:
226
254
source: ${PWD}/gcloud.json
227
255
target: /opt/app/rel/logflare/bin/gcloud.json
228
256
read_only: true
257
+
# Optional: SSL certificate files for internal database
0 commit comments