1
00:00:00,090 --> 00:00:01,620
‫What is going on, guys?

2
00:00:01,650 --> 00:00:08,370
‫My name is Hossein, and in this video I want to spin up a Postgres insistence and not only spin it

3
00:00:08,370 --> 00:00:18,330
‫up and not only connect to it, but I want to establish a secure communication between my client and

4
00:00:18,330 --> 00:00:24,600
‫my Postgres database by enabling TLC or SSL, the old name for it.

5
00:00:24,970 --> 00:00:26,370
‫How about we jump into it, guys?

6
00:00:27,060 --> 00:00:30,330
‫Because if you don't know what TLC has, check out this playlist.

7
00:00:30,330 --> 00:00:35,940
‫What I discussed all the about this technology, transport layer security.

8
00:00:35,940 --> 00:00:37,830
‫I show the handshake, I show.

9
00:00:38,040 --> 00:00:42,650
‫Why do you want to encrypt the communication between client and server?

10
00:00:42,930 --> 00:00:47,130
‫We talk about GPS and all that stuff, but database is no different.

11
00:00:47,130 --> 00:00:54,810
‫For the longest time we have been connecting from a client to databases without encryption.

12
00:00:55,290 --> 00:01:07,500
‫And our our excuse was that nobody actually sniffing between my database and my client, which is usually

13
00:01:07,500 --> 00:01:08,400
‫the Web server.

14
00:01:08,580 --> 00:01:08,910
‫Right.

15
00:01:08,910 --> 00:01:14,940
‫Or a desktop application because usually the client is very close to the database.

16
00:01:14,940 --> 00:01:16,110
‫And we talked about that.

17
00:01:16,110 --> 00:01:21,750
‫Why write check out this video if you're interested, keep your servers close and your enemies closer

18
00:01:22,200 --> 00:01:25,230
‫latency around trips, all that stuff.

19
00:01:25,410 --> 00:01:30,690
‫We want to keep the database closest to the server or the client that makes the request.

20
00:01:31,230 --> 00:01:34,110
‫However, in a cloud architecture, this is no longer a choice.

21
00:01:34,320 --> 00:01:39,810
‫In a Bernardes Kloster, this is no longer a choice because these are kind of public, if you think

22
00:01:39,810 --> 00:01:43,620
‫about it, that so we need to encrypt that stuff.

23
00:01:43,620 --> 00:01:45,030
‫So how about we do that?

24
00:01:45,030 --> 00:01:46,850
‫I'm going to I have DOCA installed.

25
00:01:46,860 --> 00:01:53,190
‫Guys, if you only thing you have to do is just install for Mac and then install it for four windows

26
00:01:53,190 --> 00:01:55,860
‫and one when you have that, just do not run.

27
00:01:56,070 --> 00:01:57,240
‫Hello Dashboard.

28
00:01:57,450 --> 00:02:00,360
‫And if you get that, that means you ready to rock and roll.

29
00:02:00,540 --> 00:02:05,250
‫So I'm going to go ahead and spin up at a Posterous instance and it's very simple.

30
00:02:05,250 --> 00:02:08,340
‫You do DOCA run and that's the name.

31
00:02:08,350 --> 00:02:09,840
‫Let's give it a name called PJI.

32
00:02:10,020 --> 00:02:14,730
‫And at Port I'm going to expose the default port five, four, three, two.

33
00:02:15,150 --> 00:02:17,820
‫And finally, did you give it a name?

34
00:02:17,820 --> 00:02:18,570
‫Yes, I give it a name.

35
00:02:18,570 --> 00:02:24,480
‫And that's a goal because this will pull the latest version of Postgres.

36
00:02:24,510 --> 00:02:24,930
‫Right.

37
00:02:24,930 --> 00:02:26,800
‫And I think it's well worth.

38
00:02:27,180 --> 00:02:27,810
‫And that's it.

39
00:02:28,350 --> 00:02:35,010
‫Now we have Postgres, an extensive version of Pretty Coolish, but I need to consume postcrisis and

40
00:02:35,010 --> 00:02:36,120
‫kind of connect to it.

41
00:02:36,120 --> 00:02:36,350
‫Right.

42
00:02:36,540 --> 00:02:42,840
‫So we need an admin and there is a beautiful and there is a beautiful tool that is actually another

43
00:02:42,840 --> 00:02:44,280
‫container called Pejman.

44
00:02:44,280 --> 00:02:51,840
‫So we're going to spin up a Bjurman instance right here and basically connect to our Postgres insistence

45
00:02:51,840 --> 00:02:53,910
‫that we just exposed right there.

46
00:02:54,030 --> 00:03:02,850
‫So in order to run that PJI admin, we're going to use that David Page Docker image, which is which

47
00:03:02,850 --> 00:03:03,440
‫is as follows.

48
00:03:03,450 --> 00:03:05,890
‫I'm going to do a docker run dash.

49
00:03:06,070 --> 00:03:11,040
‫You're going to give it an environment, a variable PJI admin default email.

50
00:03:11,040 --> 00:03:14,580
‫We done this before, guys, and just give it and I'm going to give it.

51
00:03:14,760 --> 00:03:16,920
‫Hosain doesn't have to be email if you think about it.

52
00:03:16,920 --> 00:03:17,210
‫Right.

53
00:03:17,610 --> 00:03:18,240
‫Just do that.

54
00:03:18,240 --> 00:03:22,890
‫Dashi PJI admin default password has to have a password.

55
00:03:22,890 --> 00:03:23,180
‫Right.

56
00:03:23,370 --> 00:03:24,690
‫And then give it password.

57
00:03:24,990 --> 00:03:26,010
‫Very secure.

58
00:03:26,580 --> 00:03:27,000
‫Right.

59
00:03:27,630 --> 00:03:32,500
‫And then expose it to Port five five five five on port eighty.

60
00:03:32,520 --> 00:03:37,830
‫I could have exposed to eighty but I like Phi Phi Phi Phi because I just used I'm used to having PJI

61
00:03:37,830 --> 00:03:46,260
‫admin run on Phi Phi Phi Phi and then finally the name PJI admin and then finally the page SPG admin

62
00:03:46,260 --> 00:03:46,680
‫for.

63
00:03:46,710 --> 00:03:47,670
‫Thank you so much.

64
00:03:47,940 --> 00:03:50,040
‫David Page is a real name.

65
00:03:50,040 --> 00:03:53,310
‫Hopefully your first name is David Page, but also awesome.

66
00:03:53,600 --> 00:03:59,820
‫So go ahead and run that stuff and looks like it's already so.

67
00:04:00,150 --> 00:04:04,650
‫So now let's go to Chrome and connect to my page admin, which then I'm going to use to connect to my

68
00:04:04,650 --> 00:04:06,000
‫posterous and manage my database.

69
00:04:06,000 --> 00:04:06,690
‫How about we do that.

70
00:04:07,050 --> 00:04:10,470
‫So localhost Phi Phi Phi Phi.

71
00:04:11,350 --> 00:04:12,010
‫And.

72
00:04:13,030 --> 00:04:19,690
‫Just like that, this is what we're going to get, what's the past where we put Hussein password connect?

73
00:04:20,170 --> 00:04:22,470
‫Beautiful, very awesome.

74
00:04:23,080 --> 00:04:27,100
‫So we have the pajama now, so we need to connect to the database.

75
00:04:27,130 --> 00:04:34,240
‫Now, this is an unencrypted connection so that the defaulter says, hey, I prefer SSL, but we know

76
00:04:34,240 --> 00:04:37,600
‫our database does not support SSL or secure socket layer.

77
00:04:37,600 --> 00:04:37,890
‫Right.

78
00:04:37,900 --> 00:04:40,650
‫So we're going to connect to it unencrypted by default.

79
00:04:40,660 --> 00:04:44,860
‫So we're going to call it on secure PJI.

80
00:04:45,340 --> 00:04:48,850
‫And the connection is what's the host, what's the hostname?

81
00:04:48,870 --> 00:04:49,240
‫Hosain.

82
00:04:49,240 --> 00:04:50,110
‫Mac what.

83
00:04:50,110 --> 00:04:51,640
‫Port five, four, three, two.

84
00:04:51,640 --> 00:04:51,990
‫Right.

85
00:04:52,180 --> 00:04:53,860
‫What's the username?

86
00:04:53,860 --> 00:04:56,620
‫Postgres and the default is also called Postgres.

87
00:04:56,800 --> 00:05:04,330
‫And just like that, we have connected to the Daraba and guys, if now if I disconnected the server

88
00:05:04,600 --> 00:05:07,540
‫and I went to properties and I forced.

89
00:05:08,680 --> 00:05:12,250
‫Requiring SSL and I try to connect.

90
00:05:13,430 --> 00:05:19,100
‫You will notice that I'm going to get an error, says, hey, the server does not support SSL, but

91
00:05:19,100 --> 00:05:20,880
‫SSL was required in the connection.

92
00:05:20,960 --> 00:05:24,770
‫So how do I enable SSL on my server?

93
00:05:24,950 --> 00:05:25,910
‫How about we jump into it?

94
00:05:25,910 --> 00:05:34,370
‫Guys, let's go ahead and go to back to my terminal, open a brand new tab and we're going to bash into

95
00:05:34,370 --> 00:05:35,840
‫the PJI container.

96
00:05:36,410 --> 00:05:36,760
‫Right.

97
00:05:36,770 --> 00:05:41,260
‫So Docker exec dash it interactive terminal.

98
00:05:41,600 --> 00:05:43,190
‫I want to bash into the PJI.

99
00:05:43,430 --> 00:05:45,840
‫That's what we called our Postgres container.

100
00:05:46,280 --> 00:05:53,870
‫I want to bash into it and I'm going to install Apte, get updates about get and install them, because

101
00:05:53,870 --> 00:05:55,600
‫I'm going to edit some config here.

102
00:05:55,880 --> 00:05:59,920
‫So let's wait for this to install to update all that stuff and install them.

103
00:06:00,350 --> 00:06:01,470
‫Yes, please.

104
00:06:01,700 --> 00:06:02,300
‫All right.

105
00:06:02,300 --> 00:06:03,350
‫We have installed it.

106
00:06:03,560 --> 00:06:09,820
‫So we go to VAR Leib, Postgres and data.

107
00:06:10,910 --> 00:06:14,150
‫There is a config called postcrisis dot com.

108
00:06:14,870 --> 00:06:22,010
‫We will go to that, put the configuration file here and I'm going to search for SSL option here and

109
00:06:22,040 --> 00:06:24,080
‫I am going to turn this on.

110
00:06:24,230 --> 00:06:28,010
‫But in order to turn it on, we need at minimum, we need two things.

111
00:06:28,250 --> 00:06:30,500
‫We need the certificate force, which we talked about.

112
00:06:30,500 --> 00:06:36,800
‫Check out the certificate file here to search the certificate video here.

113
00:06:37,460 --> 00:06:45,170
‫And I'm going to call this service DOT PSM and the key file here, which is that the private key, which

114
00:06:45,170 --> 00:06:50,720
‫is the the private key that will unlock that the certificate.

115
00:06:50,720 --> 00:06:51,060
‫Right.

116
00:06:51,080 --> 00:06:53,090
‫So I'm going to call it private UPM.

117
00:06:53,090 --> 00:06:53,340
‫Right.

118
00:06:53,570 --> 00:06:55,310
‫And here are some examples.

119
00:06:55,310 --> 00:06:57,570
‫For example, what cyphers do you want to support.

120
00:06:57,590 --> 00:06:57,770
‫Right.

121
00:06:57,920 --> 00:06:59,450
‫How secure are your cyphers?

122
00:06:59,450 --> 00:07:02,030
‫You can do all of these stuff.

123
00:07:02,030 --> 00:07:02,370
‫Right.

124
00:07:02,800 --> 00:07:04,100
‫Prefer cyphers.

125
00:07:04,100 --> 00:07:10,250
‫And you want to support like the IRS version of what tearless version you want supported as Fergin one,

126
00:07:10,250 --> 00:07:11,000
‫two or three.

127
00:07:11,000 --> 00:07:13,100
‫Obviously one point three is is the best.

128
00:07:13,490 --> 00:07:13,870
‫Right.

129
00:07:14,240 --> 00:07:16,520
‫But we don't really care about this stuff now.

130
00:07:17,060 --> 00:07:20,110
‫We can if we want to enable all that stuff.

131
00:07:20,120 --> 00:07:22,370
‫So let's go ahead and save.

132
00:07:22,370 --> 00:07:26,450
‫So we call this certain pen, the certificate and the private keys, private depen.

133
00:07:26,450 --> 00:07:28,640
‫So we're going to write this file now.

134
00:07:28,970 --> 00:07:33,340
‫But how where I should get these two files from?

135
00:07:33,350 --> 00:07:37,150
‫Well, this is where openness will come in handy, right.

136
00:07:37,250 --> 00:07:44,360
‫So I'm going to generate the certificate and as a self signed certificate just for testing.

137
00:07:44,360 --> 00:07:44,740
‫Right.

138
00:07:44,780 --> 00:07:50,990
‫And we have generated a certificate before from Let's Encrypt and that has like a proper certificate

139
00:07:50,990 --> 00:07:52,270
‫authority and all that jazz.

140
00:07:52,550 --> 00:07:55,720
‫Check out these videos, guys, if you are interested to learn more about that stuff.

141
00:07:55,940 --> 00:08:04,430
‫So I'm going to do open SSL request and I need five or nine certificate, not six or five, four nine.

142
00:08:05,540 --> 00:08:13,310
‫I want to do a new key that is of type A four thousand and zero nine six keys.

143
00:08:13,520 --> 00:08:17,240
‫You need this or above to have a decent security.

144
00:08:17,450 --> 00:08:20,450
‫2048 is good, but it's not good enough anymore.

145
00:08:20,450 --> 00:08:25,130
‫These days can be broken very easily at nil d.

146
00:08:25,490 --> 00:08:25,900
‫E.

147
00:08:25,900 --> 00:08:26,900
‫S this.

148
00:08:26,930 --> 00:08:28,520
‫I used to read this as node's.

149
00:08:28,520 --> 00:08:35,660
‫No, it's actually no d which is the digital encryption standard which nobody use anymore.

150
00:08:35,660 --> 00:08:35,960
‫Right.

151
00:08:35,960 --> 00:08:42,530
‫So it means essentially don't encrypt the file because we will let both Chris read it.

152
00:08:42,530 --> 00:08:47,840
‫And if we can't, we cannot let Posterous read that file if it's password protected.

153
00:08:47,840 --> 00:08:48,140
‫Right.

154
00:08:48,560 --> 00:08:54,940
‫I mean, the engine now supports a password file reading protected, but Bosco's, I believe, doesn't.

155
00:08:54,950 --> 00:08:55,820
‫So we have to do that.

156
00:08:56,540 --> 00:08:56,840
‫Yeah.

157
00:08:56,840 --> 00:08:58,460
‫And then we do the key out.

158
00:08:58,460 --> 00:09:03,950
‫I want the key to be here private the B.M. That's the key that the private key.

159
00:09:03,950 --> 00:09:06,130
‫And we talked about private versus public.

160
00:09:06,140 --> 00:09:09,410
‫You guys check out the encryption videos to learn more about this stuff.

161
00:09:09,740 --> 00:09:15,140
‫And then finally out, which is the cert cert, CRT, Dopy.

162
00:09:15,950 --> 00:09:21,710
‫And then just like that, if you enter, start generating the four thousand ninety six.

163
00:09:21,710 --> 00:09:23,720
‫I'm going to ask some questions.

164
00:09:23,870 --> 00:09:24,730
‫What's your country name?

165
00:09:24,740 --> 00:09:25,910
‫This is for the certificate.

166
00:09:26,600 --> 00:09:26,930
‫Right.

167
00:09:27,410 --> 00:09:31,310
‫Country is the U.S. and state is California.

168
00:09:31,460 --> 00:09:32,930
‫City is the McCulloh.

169
00:09:32,930 --> 00:09:36,800
‫That's where I live organization name.

170
00:09:36,830 --> 00:09:37,600
‫I don't know.

171
00:09:37,610 --> 00:09:41,690
‫Hussein Nasr Hussein sir.

172
00:09:42,500 --> 00:09:43,290
‫The server man.

173
00:09:43,310 --> 00:09:46,310
‫That's the most important thing and I don't really care.

174
00:09:46,310 --> 00:09:47,630
‫So I'm going to go ahead localhost.

175
00:09:47,780 --> 00:09:48,170
‫Right.

176
00:09:49,130 --> 00:09:50,390
‫And finally, the email

177
00:09:53,210 --> 00:09:53,780
‫and that's it.

178
00:09:53,900 --> 00:09:56,480
‫Now we have the certificate and the private keys.

179
00:09:56,480 --> 00:09:57,410
‫If I do, who else?

180
00:09:57,410 --> 00:10:00,950
‫We have the thirty PM and the private the PM.

181
00:10:00,950 --> 00:10:08,810
‫And however, guys, the private OBM is secure by default and nobody can actually execute commands against

182
00:10:08,810 --> 00:10:08,990
‫it.

183
00:10:09,140 --> 00:10:12,960
‫So we need to do a search and change.

184
00:10:13,040 --> 00:10:20,870
‫The mode on this to be 600, so that we allow execution on this file and just for the sake of it, we

185
00:10:20,870 --> 00:10:26,300
‫also are going to change the owner to Postgres, which is the user running this thing.

186
00:10:26,300 --> 00:10:30,970
‫So private UPM And just like that, you need to execute these two commands.

187
00:10:30,980 --> 00:10:35,420
‫Obviously, guys, the all the commands of this thing is available in the description below.

188
00:10:35,720 --> 00:10:44,060
‫And finally, we're going to exit or we have to do the docker stop BGI, Docker's start PJI and let's

189
00:10:44,060 --> 00:10:46,990
‫go to my connection auriga.

190
00:10:47,000 --> 00:10:56,810
‫So now that we have actually enabled SSL, let's go through my connection and make this actually required.

191
00:10:56,840 --> 00:11:01,130
‫Remember, we used to get an error, but now I actually can connect.

192
00:11:02,150 --> 00:11:09,740
‫And that's that's how basically you enable SSL, right, and now that doesn't mean that you cannot connect

193
00:11:09,740 --> 00:11:12,730
‫through unsecure connections, right.

194
00:11:12,740 --> 00:11:16,210
‫So you can still go here and disable the connection here.

195
00:11:16,820 --> 00:11:17,240
‫Right.

196
00:11:17,250 --> 00:11:23,200
‫And in the client says, hey, I don't want to actually connect with the server.

197
00:11:23,570 --> 00:11:25,670
‫So I don't want to communicate in an encryption.

198
00:11:25,670 --> 00:11:29,560
‫So you can still communicate unencrypted to the server.

199
00:11:29,570 --> 00:11:37,100
‫But that to do that, you can either force client server, client side certificate to to avoid that

200
00:11:37,730 --> 00:11:43,190
‫or just use the SBA to enable certain clients to connect to that.

201
00:11:43,520 --> 00:11:50,650
‫That doesn't really matter, to be honest, because you're going to use anyway, the PGA option should

202
00:11:50,690 --> 00:11:54,630
‫be a to only enable certain clients to connect to your Puskás database.

203
00:11:54,650 --> 00:11:55,040
‫All right.

204
00:11:55,250 --> 00:11:57,140
‫Quick video to show you this concept.

205
00:11:57,350 --> 00:11:59,830
‫Let me know what you think I'm going to see in the next one.

206
00:11:59,840 --> 00:12:00,590
‫You guys say awesome.

207
00:12:00,680 --> 00:12:01,040
‫Goodbye.