Adding TLS encryption to your Postgres database in Dokploy ensures secure connections for both production and development. Here’s how I managed it using volumes in Dokploy:
1. Generate a Certificate Authority (CA)
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/CN=MyLocalCA"
2. Generate a Server Certificate Signed by Your CA
Create a config file server-cert.conf
with your hostnames/IPs::
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
CN = st-api.viewly.net
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = st-api.yourdomain.net
DNS.2 = st.yourdomain.net
DNS.3 = localhost
IP.1 = 127.0.0.1
IP.2 = 192.168.200.149
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
CN = st-api.yourdomain.net
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = st-api.yourdomain.net
DNS.2 = st.yourdomain.net
DNS.3 = localhost
IP.1 = 127.0.0.1
IP.2 = 192.168.100.123
Then run:
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr -config server-cert.conf
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server-cert.conf -extensions req_ext
3. Prepare the Docker Volume
Start a temporary container to access the Dokploy volume:
docker run --rm -it -v pg-ssl-certs:/data busybox sh
In another terminal, copy your certs into the running container:
docker cp server.crt <container_id>:/data/server.crt
docker cp server.key <container_id>:/data/server.key
Inside the busybox shell, set permissions:
chmod 600 /data/server.key
In Dokploy, mount the pg-ssl-certs
volume to /etc/postgres/ssl
in your Postgres app.
Mount the Volume in Dokploy
In Dokploy, mount the pg-ssl-certs volume to /etc/postgres/ssl in your Postgres app.
Set the Postgres Command in Dokploy
In the “Command” field:
docker-entrypoint.sh postgres -c ssl=on -c ssl_cert_file=/etc/postgres/ssl/server.crt -c ssl_key_file=/etc/postgres/ssl/server.key
6. Redeploy Postgres
Redeploy your Postgres app in Dokploy.
7. Test SSL
Connect with psql:
psql "host=YOUR_DB_HOST user=YOURUSER dbname=YOURDB sslmode=require"
in psql:
SHOW ssl;
You now have a secure, TLS-enabled Postgres instance running in Dokploy.