在 Azure Database for PostgreSQL(单一服务器)中配置 TLS 连接Configure TLS connectivity in Azure Database for PostgreSQL - Single Server

Azure Database for PostgreSQL 倾向于使用传输层安全性 (TLS)(以前成为安全套接字层 (SSL))将客户端应用程序连接到 PostgreSQL 服务。Azure Database for PostgreSQL prefers connecting your client applications to the PostgreSQL service using Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL). 通过在数据库服务器与客户端应用程序之间强制实施 TLS 连接,可以加密服务器与应用程序之间的数据流,这有助于防止“中间人”攻击。Enforcing TLS connections between your database server and your client applications helps protect against "man-in-the-middle" attacks by encrypting the data stream between the server and your application.

默认情况下,PostgreSQL 数据库服务配置为需要 TLS 连接。By default, the PostgreSQL database service is configured to require TLS connection. 如果客户端应用程序不支持 TLS 连接,则可以选择禁用 TLS。You can choose to disable requiring TLS if your client application does not support TLS connectivity.

强制实施 TLS 连接Enforcing TLS connections

对于通过 Azure 门户或 CLI 预配的所有 Azure Database for PostgreSQL 服务器,默认会强制实施 TLS 连接。For all Azure Database for PostgreSQL servers provisioned through the Azure portal and CLI, enforcement of TLS connections is enabled by default.

同样,在 Azure 门户中,用户服务器的“连接字符串”设置中预定义了连接字符串,该字符串中包含以通用语言使用 TLS 连接到数据库服务器所需的参数。Likewise, connection strings that are pre-defined in the "Connection Strings" settings under your server in the Azure portal include the required parameters for common languages to connect to your database server using TLS. TLS 参数因连接器而异,例如“ssl=true”、“sslmode=require”或“sslmode=required”,以及其他变体。The TLS parameter varies based on the connector, for example "ssl=true" or "sslmode=require" or "sslmode=required" and other variations.

配置强制实施 TLSConfigure Enforcement of TLS

(可选)可以禁用强制实施 TLS 连接。You can optionally disable enforcing TLS connectivity. Azure 建议你始终启用“强制实施 SSL 连接”设置,以增强安全性。Azure recommends to always enable Enforce SSL connection setting for enhanced security.

使用 Azure 门户Using the Azure portal

访问 Azure Database for PostgreSQL 服务器,并单击“连接安全性”。Visit your Azure Database for PostgreSQL server and click Connection security. 使用切换按钮来启用或禁用“强制实施 SSL 连接”设置。Use the toggle button to enable or disable the Enforce SSL connection setting. 然后单击“保存” 。Then, click Save.

连接安全性 - 禁用强制实施 TLS/SSL

可以通过在“概述”页中查看“SSL 强制实施状态”指示器来确认设置。You can confirm the setting by viewing the Overview page to see the SSL enforce status indicator.

使用 Azure CLIUsing Azure CLI

可以通过在 Azure CLI 中分别使用 EnabledDisabled 值来启用或禁用“ssl-enforcement”参数。You can enable or disable the ssl-enforcement parameter using Enabled or Disabled values respectively in Azure CLI.

az postgres server update --resource-group myresourcegroup --name mydemoserver --ssl-enforcement Enabled

确保应用程序或框架支持 TLS 连接Ensure your application or framework supports TLS connections

某些使用 PostgreSQL 作为其数据库服务的应用程序框架在安装期间默认不启用 TLS。Some application frameworks that use PostgreSQL for their database services do not enable TLS by default during installation. 如果 PostgreSQL 服务器强制实施 TLS 连接,但应用程序未配置 TLS,则应用程序可能无法连接到数据库服务器。If your PostgreSQL server enforces TLS connections but the application is not configured for TLS, the application may fail to connect to your database server. 请查阅应用程序文档,了解如何启用 TLS 连接。Consult your application's documentation to learn how to enable TLS connections.

需要证书验证才可启用 TLS 连接性的应用程序Applications that require certificate verification for TLS connectivity

在某些情况下,应用程序需要具备从受信任的证书颁发机构 (CA) 证书文件生成的本地证书文件才能实现安全连接。In some cases, applications require a local certificate file generated from a trusted Certificate Authority (CA) certificate file to connect securely. 用于连接到 Azure Database for PostgreSQL 的证书位于 https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pemThe certificate to connect to an Azure Database for PostgreSQL server is located at https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem. 下载证书文件并将其保存到首选位置。Download the certificate file and save it to your preferred location.

使用 psql 进行连接Connect using psql

以下示例演示如何使用 psql 命令行实用程序连接到 PostgreSQL 服务器。The following example shows how to connect to your PostgreSQL server using the psql command-line utility. 使用 sslmode=verify-full 连接字符串设置强制实施 TLS/SSL 证书验证。Use the sslmode=verify-full connection string setting to enforce TLS/SSL certificate verification. 将本地证书文件路径传递给 sslrootcert 参数。Pass the local certificate file path to the sslrootcert parameter.

以下命令是 psql 连接字符串的示例:The following command is an example of the psql connection string:

psql "sslmode=verify-full sslrootcert=DigiCertGlobalRootCA.crt host=mydemoserver.postgres.database.chinacloudapi.cn dbname=postgres user=myusern@mydemoserver"

提示

确认传递给 sslrootcert 的值与你保存的证书的文件路径匹配。Confirm that the value passed to sslrootcert matches the file path for the certificate you saved.

Azure Database for PostgreSQL 单一服务器中的 TLS 强制TLS enforcement in Azure Database for PostgreSQL Single server

对于使用传输层安全性 (TLS) 连接到数据库服务器的客户端,Azure Database for PostgreSQL - 单一服务器支持加密。Azure Database for PostgreSQL - Single server supports encryption for clients connecting to your database server using Transport Layer Security (TLS). TLS 是一种行业标准协议,可确保在数据库服务器与客户端应用程序之间实现安全的网络连接,使你能够满足合规性要求。TLS is an industry standard protocol that ensures secure network connections between your database server and client applications, allowing you to adhere to compliance requirements.

TLS 设置TLS settings

Azure Database for PostgreSQL 单一服务器提供了为客户端连接强制使用 TLS 版本的功能。Azure Database for PostgreSQL single server provides the ability to enforce the TLS version for the client connections. 若要强制使用 TLS 版本,请使用“最低 TLS 版本”选项设置。To enforce the TLS version, use the Minimum TLS version option setting. 此选项设置允许以下值:The following values are allowed for this option setting:

最低 TLS 设置Minimum TLS setting 支持的客户端 TLS 版本Client TLS version supported
TLSEnforcementDisabled(默认值)TLSEnforcementDisabled (default) 不需要 TLSNo TLS required
TLS1_0TLS1_0 TLS 1.0、TLS 1.1、TLS 1.2 及更高版本TLS 1.0, TLS 1.1, TLS 1.2 and higher
TLS1_1TLS1_1 TLS 1.1、TLS 1.2 及更高版本TLS 1.1, TLS 1.2 and higher
TLS1_2TLS1_2 TLS 版本 1.2 及更高版本TLS version 1.2 and higher

例如,将此最低 TLS 设置版本设置为 TLS 1.0 意味着服务器将允许使用 TLS 1.0、1.1 和 1.2 + 的客户端进行连接。For example, setting this Minimum TLS setting version to TLS 1.0 means your server will allow connections from clients using TLS 1.0, 1.1, and 1.2+. 也可将此选项设置为 1.2,这意味着仅允许那些使用 TLS 1.2+ 的客户端进行连接,将拒绝使用 TLS 1.0 和 TLS 1.1 进行的所有连接。Alternatively, setting this to 1.2 means that you only allow connections from clients using TLS 1.2+ and all connections with TLS 1.0 and TLS 1.1 will be rejected.

备注

默认情况下,Azure Database for PostgreSQL 不强制执行最低 TLS 版本要求(设置为 TLSEnforcementDisabled)。By default, Azure Database for PostgreSQL does not enforce a minimum TLS version (the setting TLSEnforcementDisabled).

一旦强制实施最低 TLS 版本要求后,以后将无法禁用最低版本强制实施。Once you enforce a minimum TLS version, you cannot later disable minimum version enforcement.

若要了解如何为 Azure Database for PostgreSQL 单一服务器指定 TLS 设置,请参阅如何配置 TLS 设置To learn how to set the TLS setting for your Azure Database for PostgreSQL Single server, refer to How to configure TLS setting.

后续步骤Next steps

Azure Database for PostgreSQL 的连接库中查看各种应用程序连接选项。Review various application connectivity options in Connection libraries for Azure Database for PostgreSQL.