Docs around SSL support for RDS#635
Open
HarshCasper wants to merge 1 commit intomainfrom
Open
Conversation
HarshCasper
requested review from
bentsku,
cloutierMat,
nik-localstack,
quetzalliwrites and
steffyP
as code owners
Deploying localstack-docs with
|
| Latest commit: |
9c948db
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://1b18e045.localstack-docs.pages.dev |
| Branch Preview URL: | https://doc-206-doc-rds-add-ssl-supp.localstack-docs.pages.dev |
cloutierMat
requested changes
May 6, 2026
Member
cloutierMat
left a comment
cloutierMat
left a comment
There was a problem hiding this comment.
Thanks for adding this to the documentation. I think we should probably be more forward about what we do not support, since this seems to indicate we have mostly full parity with aws, but only sslmode=require is supported and we do not enforce ssl as is suggested by force_ssl
Comment on lines
+314
to
+330
| ### Force SSL connections | ||
|
|
||
| To require every client to connect over SSL, set the `rds.force_ssl` parameter on a DB parameter group and associate it with your instance: | ||
|
|
||
| ```bash | ||
| awslocal rds create-db-parameter-group \ | ||
| --db-parameter-group-name force-ssl \ | ||
| --db-parameter-group-family postgres17 \ | ||
| --description "Force SSL connections" | ||
|
|
||
| awslocal rds modify-db-parameter-group \ | ||
| --db-parameter-group-name force-ssl \ | ||
| --parameters "ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot" | ||
| ``` | ||
|
|
||
| Pass `--db-parameter-group-name force-ssl` when creating the DB instance, or attach the parameter group to an existing instance and reboot it. | ||
| Setting `rds.force_ssl=0` disables the SSL requirement, allowing clients to connect with `sslmode=disable`. |
Member
There was a problem hiding this comment.
We do not support this. Currently SSL is always enabled (like in AWS), but never enforced (force-ssl=1 is ignored)
Comment on lines
+332
to
+334
| :::note | ||
| The `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted. | ||
| ::: |
Member
There was a problem hiding this comment.
Maybe we could enhance this note with the technical reason why it won't?
Suggested change
| :::note | |
| The `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted. | |
| ::: | |
| :::note | |
| As we are terminating the SSL connection at the proxy, the PostgreSQL `pg_stat_ssl` view always reports `ssl = false`, even when the client connection is encrypted. | |
| ::: |
|
|
||
| ## SSL/TLS Support | ||
|
|
||
| LocalStack's RDS PostgreSQL emulation supports SSL/TLS-encrypted client connections, so you can test applications that require `sslmode=require` (or stricter modes) the same way they would connect to AWS RDS. |
Member
There was a problem hiding this comment.
We do not currently support stricter mode
| PGPASSWORD=$MASTER_PW psql "host=$HOST port=$PORT dbname=$DB_NAME user=$MASTER_USER sslmode=require" | ||
| ``` | ||
|
|
||
| The DB instance uses a self-signed certificate, so clients that pin certificate authorities (`sslmode=verify-ca` or `sslmode=verify-full`) will need to disable certificate verification or supply their own trust anchors. |
Member
There was a problem hiding this comment.
sslmode=verify-ca or sslmode=verify-full currently not supported
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes DOC-206