You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hyperdrive provides additional ways to secure connectivity to your database. Hyperdrive supports:
13
-
14
-
1.**Server certificates** for TLS (SSL) modes such as `verify-ca` and `verify-full` for increased security. When configured, Hyperdrive will verify that the certificates have been signed by the expected certificate authority (CA) to avoid man-in-the-middle attacks.
15
-
2.**Client certificates** for Hyperdrive to authenticate itself to your database with credentials beyond beyond username/password. To properly use client certificates, your database must be configured to verify the client certificates provided by a client, such as Hyperdrive, to allow access to the database.
16
-
17
-
Hyperdrive can be configured to use only server certificates, only client certificates, or both depending on your security requirements and database configurations.
12
+
Hyperdrive provides additional ways to secure connectivity to your database. Hyperdrive supports
13
+
verification of server certificates for TLS (SSL) encryption for increased security. Hyperdrive also supports
14
+
using client certificates to authenticate itself to your database for stricter authentication beyond username/password.
18
15
19
16
:::note
20
17
21
-
Support for server certificates and client certificates is not available for MySQL (beta). Support for server certificates and client certificates is only available for local development using `npx wrangler dev --remote` which runs your Workers and Hyperdrive in Cloudflare's network with local debugging.
18
+
Support for server certificates and client certificates is not available for MySQL (beta).
-`require` (default): TLS is required for encrypted connectivity and server certificates are validated (based on WebPKI).
30
27
-`verify-ca`: Hyperdrive will verify that the database server is trustworthy by verifying that the certificates of the server have been signed by the expected root certificate authority or intermediate certificate authority.
31
-
-`verify-full`: Identical to `verify-ca`, but Hyperdrive also requires the database hostname to match a Subject Alternative Name (SAN) present on the certificate.
28
+
-`verify-full`: Identical to `verify-ca`, but Hyperdrive also requires the database hostname must match a Subject Alternative Name (SAN) present on the certificate.
32
29
33
-
By default, all Hyperdrive configurations are encrypted with SSL/TLS (`require`). This requires your database to be configured to accept encrypted connections (with SSL/TLS).
30
+
By default, all Hyperdrive configurations are encrypted with SSL/TLS (`require`). This requires
31
+
that your database is configured to accept encrypted connections (with SSL/TLS).
34
32
35
-
You can configure Hyperdrive to use `verify-ca` and `verify-full` for a more stringent security configuration, which provide additional verification checks of the server's certificates. This helps guard against man-in-the-middle attacks.
33
+
You can configure Hyperdrive to use
34
+
`verify-ca` and `verify-full` for a more stringent security configuration, which
35
+
provide additional verification checks of the server's certificates. This
36
+
helps guard against man-in-the-middle attacks.
36
37
37
-
To configure Hyperdrive to verify the certificates of the server, you must provide Hyperdrive with the certificate of the root certificate authority (CA) or an intermediate certificate which has been used to sign the certificate of your database.
38
+
To configure Hyperdrive to verify the certificates of the server, you must provide Hyperdrive with the certificate of the root certificate authority (CA) or an intermediate certificate which
39
+
has been used to sign the certificate of your database.
38
40
39
41
### Step 1: Upload your the root certificate authority (CA) certificate
40
42
41
43
Using Wrangler, you can upload your root certificate authority (CA) certificate:
Success! Uploaded CA Certificate <CUSTOM_NAME_FOR_CA_CERT>
51
-
ID: <YOUR_ID_FOR_THE_CA_CERTIFICATE>
51
+
Success! Uploaded CA Certificate \<CUSTOM_NAME_FOR_CA_CERT\>
52
+
ID: \<YOUR_ID_FOR_THE_CA_CERTIFICATE\>
52
53
...
53
54
```
54
55
55
-
:::note
56
-
57
-
You must use the CA certificate bundle that is for your specific region. You can not use a CA certificate bundle that contains more than one CA certificate, such as a global bundle of CA certificates containing each region's certificate.
58
-
59
-
:::
60
-
61
56
### Step 2: Create your Hyperdrive configuration using the CA certificate and the SSL mode
62
57
63
-
Once your CA certificate has been created, you can create a Hyperdrive configuration with the newly created certificates using either the dashboard or Wrangler. You must also specify the SSL mode of `verify-ca` or `verify-full` to use.
64
-
65
-
<Tabs>
58
+
Once your CA certificate has been created, you can create a Hyperdrive configuration with the newly created
59
+
certificates using either the dashboard or Wrangler. You must also specify the SSL mode of `verify-ca` or `verify-full` to use.
66
60
67
-
<TabItemlabel="Wrangler">
61
+
Using Wrangler, enter the following command in your terminal:
68
62
69
-
Using Wrangler, enter the following command in your terminal to create a Hyperdrive configuration with the CA certificate and a `verify-full` SSL mode:
From the dashboard, follow these steps to create a Hyperdrive configuration with server certificates:
79
-
80
-
1. In the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/workers/hyperdrive), navigate to **Storage & Databases > Hyperdrive** and click **Create configuration**.
81
-
2. Select **Server certificates**.
82
-
3. Specify a SSL mode of **Verify CA** or **Verify full**
83
-
4. Select the SSL certificate of the certificate authority (CA) of your database that you have previously uploaded with Wrangler.
84
-
85
-
</TabItem>
86
-
87
-
</Tabs>
88
-
89
-
90
-
91
-
When creating the Hyperdrive configuration, Hyperdrive will attempt to connect to the database with the provided credentials. If the command provides successful results, you have properly configured your Hyperdrive configuration to verify the certificates provided by your database server.
69
+
When creating the Hyperdrive configuration, Hyperdrive will attempt to connect to the database with the
70
+
provided credentials. If the command provides successful results, you have properly configured your Hyperdrive
71
+
configuration to verify the certificates provided by your database server.
92
72
93
73
:::note
94
74
@@ -98,16 +78,17 @@ Hyperdrive will attempt to connect to your database with the provided credential
98
78
99
79
## Client certificates
100
80
101
-
Your database can be configured to [verify a certificate provided by the client](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT), in this case, Hyperdrive. This serves as an additional factor to authenticate clients (in addition to the username and password).
81
+
Your database can be configured to [verify a certificate provided by the client](https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-CLIENTCERT), in this case, Hyperdrive. This serves
82
+
as an additional factor to authenticate clients (in addition to the username and password).
102
83
103
-
For the database server to be able to verify the client certificates, Hyperdrive must be configured to provide a certificate file (`client-cert.pem`) and a private key with which the certificate was generated (`private-key.pem`).
84
+
For the database server to be able to verify the client certificates, Hyperdrive must be configured to provide a certificate
85
+
file (`client-cert.pem`) and a private key with which the certificate was generated (`private-key.pem`).
104
86
105
87
### Step 1: Upload your client certificates (mTLS certificates)
106
88
107
89
Upload your client certificates to be used by Hyperdrive using Wrangler:
From the dashboard, follow these steps to create a Hyperdrive configuration with server certificates:
140
-
141
-
1. In the [Cloudflare dashboard](https://dash.cloudflare.com/?to=/:account/workers/hyperdrive), navigate to **Storage & Databases > Hyperdrive** and click **Create configuration**.
142
-
2. Select **Client certificates**.
143
-
3. Select the SSL client certificate and private key pair for Hyperdrive to use during the connection setup with your database server.
144
-
145
-
</TabItem>
146
-
147
-
</Tabs>
148
-
149
-
150
-
When Hyperdrive connects to your database, it will provide a client certificate signed with the private key to the database server. This allows the database server to confirm that the client, in this case Hyperdrive, has both the private key and the client certificate. By using client certificates, you can add an additional authentication layer for your database to ensures that only Hyperdrive can connect to it.
151
-
152
-
:::note
153
-
154
-
Hyperdrive will attempt to connect to your database with the provided credentials to verify they are correct before creating a configuration. If you encounter an error when attempting to connect, refer to Hyperdrive's [troubleshooting documentation](/hyperdrive/observability/troubleshooting/) to debug possible causes.
0 commit comments