To configure TLS for an external PostgreSQL you have the following configuration options:
- PostgreSQL TLS mode: PostgreSQL server supports the following TLS mode:
- Allow: first try an SSL connection; if that fails, try a non-SSL connection.
- Require: only try an SSL connection. If a root Certificate Authority file is present, verify the certificate in the same way as if Verify Certificate Authority was specified.
- Verify Certificate Authority: only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).
- Verify Certificate Authority and Hostname: only try an SSL connection, and verify that the server certificate is issued by a trusted CA and that the requested server hostname matches that in the certificate.
- Custom certificate authority: custom certificate authority to use to authenticate PostgreSQL server identity.
- Client authentication required: PostgreSQL server configured to authenticate a client.
- PostgreSQL client TLS key.
- PostgreSQL client TLS certificate.
To disable TLS configuration, you should first set "Postgres TLS mode" to Allow in the Admin Console and deploy the configuration. Then you can disable TLS on the PostgreSQL server. Finally, disable the TLS configuration within the Admin Console.
To configure TLS for Redis, you have the following configuration options:
- Require Redis server authentication: force the application to require the Redis server to authenticate with a valid certificate. By checking this setting, you can provide a custom certificate authority to validate the Redis server certificate.
- Client authentication required: if the Redis server is configured to require
client authentication, you need to check this box and provide:
- a TLS key,
- a TLS certificate.
For scaling recommendations, refer to the hardware requirements documentation.