在 Azure Database for PostgreSQL(单一服务器)中配置 TLS 连接Configure TLS connectivity in Azure Database for PostgreSQL - Single Server

Azure Database for PostgreSQL 倾向于使用传输层安全性 (TLS)(以前成为安全套接字层 (SSL))将客户端应用程序连接到 PostgreSQL 服务。Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 TLS 连接,可以加密服务器与应用程序之间的数据流,这有助于防止“中间人”攻击。Enforcing TLS connections between your database server and your client applications helps protect against "man-in-the-middle" attacks by encrypting the data stream between the server and your application.

默认情况下,PostgreSQL 数据库服务配置为需要 TLS 连接。By default, the PostgreSQL database service is configured to require TLS connection. 如果客户端应用程序不支持 TLS 连接,则可以选择禁用 TLS。You can choose to disable requiring TLS if your client application does not support TLS connectivity.

强制实施 TLS 连接Enforcing TLS connections

对于通过 Azure 门户或 CLI 预配的所有 Azure Database for PostgreSQL 服务器,默认会强制实施 TLS 连接。For all Azure Database for PostgreSQL servers provisioned through the Azure portal and CLI, enforcement of TLS connections is enabled by default.

同样,在 Azure 门户中,用户服务器的“连接字符串”设置中预定义了连接字符串,该字符串中包含以通用语言使用 TLS 连接到数据库服务器所需的参数。Likewise, connection strings that are pre-defined in the "Connection Strings" settings under your server in the Azure portal include the required parameters for common languages to connect to your database server using TLS. TLS 参数因连接器而异,例如“ssl=true”、“sslmode=require”或“sslmode=required”,以及其他变体。The TLS parameter varies based on the connector, for example "ssl=true" or "sslmode=require" or "sslmode=required" and other variations.

配置强制实施 TLSConfigure Enforcement of TLS

(可选)可以禁用强制实施 TLS 连接。You can optionally disable enforcing TLS connectivity. Azure 建议你始终启用“强制实施 SSL 连接”设置,以增强安全性。Azure recommends to always enable Enforce SSL connection setting for enhanced security.

使用 Azure 门户Using the Azure portal

访问 Azure Database for PostgreSQL 服务器,并单击“连接安全性”。Visit your Azure Database for PostgreSQL server and click Connection security. 使用切换按钮来启用或禁用“强制实施 SSL 连接”设置。Use the toggle button to enable or disable the Enforce SSL connection setting. 然后单击“保存” 。Then, click Save.

连接安全性 - 禁用强制实施 TLS/SSL

可以通过在“概述”页中查看“SSL 强制实施状态”指示器来确认设置。You can confirm the setting by viewing the Overview page to see the SSL enforce status indicator.

使用 Azure CLIUsing Azure CLI

可以通过在 Azure CLI 中分别使用 EnabledDisabled 值来启用或禁用“ssl-enforcement”参数。You can enable or disable the ssl-enforcement parameter using Enabled or Disabled values respectively in Azure CLI.

az postgres server update --resource-group myresourcegroup --name mydemoserver --ssl-enforcement Enabled

确保应用程序或框架支持 TLS 连接Ensure your application or framework supports TLS connections

某些使用 PostgreSQL 作为其数据库服务的应用程序框架在安装期间默认不启用 TLS。Some application frameworks that use PostgreSQL for their database services do not enable TLS by default during installation. 如果 PostgreSQL 服务器强制实施 TLS 连接,但应用程序未配置 TLS,则应用程序可能无法连接到数据库服务器。If your PostgreSQL server enforces TLS connections but the application is not configured for TLS, the application may fail to connect to your database server. 请查阅应用程序文档,了解如何启用 TLS 连接。Consult your application's documentation to learn how to enable TLS connections.

需要证书验证才可启用 TLS 连接性的应用程序Applications that require certificate verification for TLS connectivity

在某些情况下,应用程序需要具备从受信任的证书颁发机构 (CA) 证书文件 (.cer) 生成的本地证书文件才能实现安全连接。In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file (.cer) to connect securely. 请参阅以下步骤获取 .cer 文件,解码证书并将其绑定到应用程序。See the following steps to obtain the .cer file, decode the certificate and bind it to your application.

从证书颁发机构 (CA) 下载证书文件Download the certificate file from the Certificate Authority (CA)

可在此处找到通过 SSL 与 Azure Database for PostgreSQL 服务器通信所需的证书。The certificate needed to communicate over SSL with your Azure Database for PostgreSQL server is located here. 本地下载证书文件。Download the certificate file locally.

在计算机上安装证书解码器Install a cert decoder on your machine

可以使用 OpenSSL 来解码应用程序安全连接到数据库服务器所需的证书文件。You can use OpenSSL to decode the certificate file needed for your application to connect securely to your database server. 若要了解如何安装 OpenSSL,请参阅 OpenSSL 安装说明To learn how to install OpenSSL, see the OpenSSL installation instructions.

解码证书文件Decode your certificate file

下载的根 CA 文件采用加密格式。The downloaded Root CA file is in encrypted format. 使用 OpenSSL 解码证书文件。Use OpenSSL to decode the certificate file. 要执行此操作,请运行此 OpenSSL 命令:To do so, run this OpenSSL command:

openssl x509 -inform DER -in DigiCertGlobalRootCA.crt -text -out root.crt

使用 psql 进行连接Connect using psql

以下示例演示如何使用 psql 命令行实用程序连接到 PostgreSQL 服务器。The following example shows how to connect to your PostgreSQL server using the psql command-line utility. 使用 sslmode=verify-full 连接字符串设置强制实施 TLS/SSL 证书验证。Use the sslmode=verify-full connection string setting to enforce TLS/SSL certificate verification. 将本地证书文件路径传递给 sslrootcert 参数。Pass the local certificate file path to the sslrootcert parameter.

以下命令是 psql 连接字符串的示例:The following command is an example of the psql connection string:

psql "sslmode=verify-full sslrootcert=root.crt host=mydemoserver.postgres.database.chinacloudapi.cn dbname=postgres user=myusern@mydemoserver"

Tip

确认传递给 sslrootcert 的值与你保存的证书的文件路径匹配。Confirm that the value passed to sslrootcert matches the file path for the certificate you saved.

后续步骤Next steps

Azure Database for PostgreSQL 的连接库中查看各种应用程序连接选项。Review various application connectivity options in Connection libraries for Azure Database for PostgreSQL.