Postgres Replication
Sandfly supports the replication of results data to an external PostgreSQL database for independent long-term storage and analysis.
INFO: Upgrade Feature - Postgres Replication
The ability to configure and use Postgres Replication requires an upgraded plan. Please see https://www.sandflysecurity.com/get-sandfly/ for details.
This server configuration tab contains the following settings that can be edited:
- Postgres Replication Enabled - Set it to true to enable access to the Postgres Replication settings.
- Host - The network host name or the IP address of the external PostgreSQL server.
- Database - The external PostgreSQL database name for the replication data.
- Username - The external PostgreSQL database username to connect as.
- Extra Options (optional) - A space-separated, key=value set (e.g. "optionA=valueA optionB=valueB") of special connection options for the external Postgres connection. If PostgreSQL is on a non-default port, use "port=<PORT_NUMBER>"
- Password (optional) - The external PostgreSQL password associated with the specified username.
Configuring Client Certificates
The Postgres client library supports the use of client certificates, however, there are additional steps to perform in order to make the certificates available.
When configuring Postgres replication in the Sandfly UI, there is a field called "Extra Options". Sandfly appends the extra options to the Postgres connection string that we build and most Postgres connection string parameters are supported. To support a client certificate add the following space-delimited options in the extra options field:
sslmode='verify-full' sslcert='/pqcerts/client.crt' sslkey='/pqcerts/client.key' sslrootcert='/pqcerts/root_ca.pem'
Those certificate files will be loaded when Sandfly tries to connect and used for the mutual TLS authentication.
The only complication is that those files do not exist inside the Sandfly server container. One way to make it work would be to create the pqcerts directory somewhere on the Sandfly server, then modify the start_server.sh script to add a volume mount to the docker run command, e.g. -v /path/to/pqcerts:/pqcerts
, so those files will be available to the Sandfly server container at the /pqcerts path.
Updated 4 months ago