2019-04-04 10:22:09 +02:00
## Server configuration
2019-04-02 17:54:24 +02:00
2019-04-04 10:22:09 +02:00
### Securing PostgreSQL connections
2019-04-02 17:54:24 +02:00
By default, Mainflux will connect to Postgres using insecure transport.
If a secured connection is required, you can select the SSL mode and set paths to any extra certificates and keys needed.
`MF_USERS_DB_SSL_MODE` the SSL connection mode for Users.
`MF_USERS_DB_SSL_CERT` the path to the certificate file for Users.
`MF_USERS_DB_SSL_KEY` the path to the key file for Users.
`MF_USERS_DB_SSL_ROOT_CERT` the path to the root certificate file for Users.
`MF_THINGS_DB_SSL_MODE` the SSL connection mode for Things.
`MF_THINGS_DB_SSL_CERT` the path to the certificate file for Things.
`MF_THINGS_DB_SSL_KEY` the path to the key file for Things.
`MF_THINGS_DB_SSL_ROOT_CERT` the path to the root certificate file for Things.
Supported database connection modes are: `disabled` (default), `required` , `verify-ca` and `verify-full` .
## Securing gRPC
2019-04-04 10:22:09 +02:00
By default gRPC communication is not secure as Mainflux system is most often run in a private network behind the reverse proxy.
However, TLS can be activated and configured.
### Server configuration
2019-04-02 17:54:24 +02:00
2019-04-04 10:22:09 +02:00
#### Users
2019-04-02 17:54:24 +02:00
If either the cert or key is not set, the server will use insecure transport.
`MF_USERS_SERVER_CERT` the path to server certificate in pem format.
`MF_USERS_SERVER_KEY` the path to the server key in pem format.
2019-04-04 10:22:09 +02:00
#### Things
2019-04-02 17:54:24 +02:00
If either the cert or key is not set, the server will use insecure transport.
`MF_THINGS_SERVER_CERT` the path to server certificate in pem format.
`MF_THINGS_SERVER_KEY` the path to the server key in pem format.
2019-04-04 10:22:09 +02:00
### Client configuration
2019-04-02 17:54:24 +02:00
If you wish to secure the gRPC connection to `things` and `users` services you must define the CAs that you trust. This does not support mutual certificate authentication.
2019-04-04 10:22:09 +02:00
#### Adapter configuration
2019-04-02 17:54:24 +02:00
2019-04-04 10:22:09 +02:00
`MF_HTTP_ADAPTER_CA_CERTS` , `MF_MQTT_ADAPTER_CA_CERTS` , `MF_WS_ADAPTER_CA_CERTS` , `MF_COAP_ADAPTER_CA_CERTS` - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the adapter will fail to start up.
2019-04-02 17:54:24 +02:00
2019-04-04 10:22:09 +02:00
#### Things
2019-04-02 17:54:24 +02:00
`MF_THINGS_CA_CERTS` - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the service will fail to start up.
