With questions like this, it looks like the only way to prevent man-in-the-middle attacks is to use sslmode=verify-full. This is also explained in the Postgresql docs.
When I use the DATABASE_URL provided by Heroku in my app, is there a guarantee that there won't be a MITM attack? (Or asked another way, does Heroku do something behind the scenes to guarantee that Heroku <-> Heroku-Postgres is secure?)
No, Heroku Postgres is not secure against a MitM. The highest risk is running pg:psql from the command line, since it's fairly easy to get between your laptop and Heroku by using a WiFi Pineapple or similar tools. Getting between your Dynos and the database is much harder. This is possible since Heroku hasn't created a CA to sign their database certificates, thus there's no trust root to use when you're connecting.
I did a writeup of actually performing such a MitM against Heroku Postgres here, please file a support ticket with Heroku saying you'd like to see them create a CA and issue a trusted root we can use to authenticate connections if you care about this.
Related
anyone facing something similar? sadly I'm on a free plan so I can't open a ticket... does anyone know of a way to restart the service/machine of the DB? maybe that would just solve it...
ok so the issue in my case is that indeed heroku performed some sort of maintenance on the DB, and apparently it's connection params (host/url/user/password) had changed... and since it was embedded throughout all my interfaces (the app, my db tools, admin app I also have) - none were able to connect (they'd timeout).
while trying to figure out, I used the wonderful CLI tools of heroku pg:info and heroku pg:diagnose and even heroku pg:psql and tested to see that my data is still there... eventually I went to the online admin and that's where I saw the connections params had changed. BTW - I have this project for 2 years and this is the first time this had happened...
I was in the same situation. Heroku will email you that your database is scheduled for maintenance. After it's complete, connecting to the database fails because of this error:
error: no pg_hba.conf entry for host "IP_ADDRESS", user "DB_USER", database "DB_NAME", no encryption
This is telling us that incorrect credentials were given, meaning the database connection string has changed. I first checked the credentials on the website for the Heroku Postgres Add-on (data.heroku.com), but the connection string was still the same as before; it has not updated or changed at all, therefore this was misleading. Instead, the updated connection string is found inside of the DATABASE_URL config variable, located in the Settings tab of your app on the Heroku dashboard (dashboard.heroku.com), under Config Vars. To avoid manually correcting this problem again, get the connection string from the DATABASE_URL config variable directly, as opposed to hard coding it in your app.
Yes, Im in the same situation. Heroku are a bunch of amateurs. They did some maintenance on the DB, and after it was done, credentials don't work, even those listed in admin/dashboard section of web. Bunch of loosers... #heroku
I've decided to save time on the ops side of things and move to Heroku. I'm planning to have a production dyno on Heroku with a postgres database AND another dyno that reads from the same database.
However when I opened the settings of postgres, it said:
Database Credentials
Get credentials for manual connections to this database.
Please note that these credentials are not permanent.
Heroku rotates credentials periodically and updates applications where this database is attached.
What's a good way to go about this?
From Heroku Documentation,
Credentials
Do not copy and paste database credentials to a separate environment or into your application’s code. The database URL is managed by Heroku and will change under some circumstances such as:
User initiated database credential rotations using heroku pg:credentials:rotate.
Catastrophic hardware failure leading to Heroku Postgres staff recovering your database on new hardware.
Automated failover events on HA enabled plans.
It is best practice to always fetch the database URL config var from the corresponding Heroku app when your application starts. For example, you may follow 12Factor application configuration principles by using the Heroku CLI and invoke your process like so:
DATABASE_URL=$(heroku config:get DATABASE_URL -a your-app-name) your_process
This way, you ensure your process or application always has correct database credentials.
May be attaching the same database to two heroku-apps will better suit you. In this way, pg creds will be auto-managed by heroku.
I am also using this technique. I have one client-facing app and another operation-app sharing the same database instance.
You can either do this using UI or via CLI
see Share database between 2 apps in Heroku
I'm having troubles to connect an existing heroku database to Google Datastudio. I'm trying to add the connection and I get the following:
Access denied, please check your username and password.
Now, I'm 100% sure that I'm correct on those credentials and the problem comes from somewhere else.
I've tried with different setup, either a free or a paid PSQL instance, nothing works.
I've also setup a dummy account on elephantsql and the connection worked the first time without any issue.
Do you have any idea of the cause of that problem?
Edit:
Just found https://www.en.advertisercommunity.com/t5/Data-Studio/Heroku-Postgres-lt-gt-Google-Data-Studio/m-p/1031729 which is not helpful at the time of writing this post.
Since the February 6, 2018 update, Google DataStudio allows SSL connections with PostgreSQL, which is necessary to connect to a database created via Heroku.
To enable SSL you need to provide client key+cert and server cert, which can be accomplished by taking the following steps:
Generate a self-signed cert + key with openssl for client key + certificate:
openssl req \
-newkey rsa:2048 -nodes -keyout client.key \
-x509 -days 365 -out client.crt
Use the postgres_get_server_cert.py script to get the self-signed server cert from heroku psql:
https://raw.githubusercontent.com/thusoy/postgres-mitm/master/postgres_get_server_cert.py
The problem is that Heroku Postgres requires an SSL connection which doesn't seem possible with Data Studio at the moment. Hopefully Google will add that option soon.
Make sure to run the openssl command on one line to generate the client.key and client.crt in one command. It took me a couple of tries of downloading the certificates (unable to reach host error), but this finally got me connected to Heroku Postgres with GDS.
I thought I would mention that I have used this for quite awhile, but every time my database undergoes maintenance it breaks and I have to manually reconnect the certificates. I developed a better approach - connect the data to Google BigQuery and do your blends there, and then use the BigQuery Community Connector. The charts are more performant this way AND you can now use query parameters on blended data.
Of course, DataStudio won't connect directly to Heroku Postgres for the same reason, so I use a service called Fivetran to grab the raw data and send it to Google BigQuery. There is a cost to this, of course, but for some projects it may be worth it. At some point I will move my database off of Heroku to either AWS or Google itself to allow a direct connection, but that is a larger project.
I have a heroku app running with the postgres addon. I was wondering if it's possible to whitelist the allowed hosts. Normally this is done by editing the pg_hba.conf file, but that's not possible on heroku.
It's not possible - Heroku don't provide access to that. They use highly complex and randomly generated username/passwords as you can see in your heroku config output but permit access from any host.
Please, any help will be appreciated, i have an OpenERP installed with all its components (Postgres, Web server, Server) in a VPS..
And I would like to use this PostgreSQL from my local machine trough pgAdmin3. I am still not able to do so.
I read some answers about this issue, by modifing Configuration Files in Postgresql and some others telling me to use SSH Tunilling trough Putty, but when i go to connect trough PGADMIN3 i can't have a successfuull connection
So , Please if any one could Give me in details What i have to do, to make this happen successfully,
First you need to ask yourself a bunch of questions. The answer to this isn't really that simple which is why it hasn't been answered. These involve risk management questions that happen when you set up your db for access across the internet. You really want to start by reading the administration and authentication sections of the PostgreSQL docs. You may want to do an SSH tunnel or just require SSL.
Personally I would configure PostgreSQL to require SSL if you are going to do that. Set up an entry of type hostssl in the pg_hba.conf for the host that will be connecting to it. Set up firewall rules to allow connections from that host. Ideally set up a client cert but not quite sure how to make OpenERP use that.
Then configure OpenERP. I don't know which version you are running but these docs may get you started.