Postgres TLS-Only on Anubiz Offshore VPS
A self-hosted Postgres on Anubiz VPS that accepts plaintext connections is a footgun even on a private subnet. TLS-only is one config flip with no real downside on modern hardware. This guide configures Postgres 16 on Ubuntu 24.04 to refuse non-TLS, generates a self-signed CA, optionally enforces client certificates for replication peers, and uses scram-sha-256 for passwords.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Generate Cert
Either Let's Encrypt for clean PKI or self-signed CA. For self-signed: openssl genpkey CA, sign server cert. Place in /etc/postgresql/16/main/ssl/, owner postgres, mode 600.
Step 2: postgresql.conf
ssl = on, ssl_cert_file = '/etc/postgresql/16/main/ssl/server.crt', ssl_key_file = '/etc/postgresql/16/main/ssl/server.key', ssl_min_protocol_version = 'TLSv1.2'.
Step 3: pg_hba.conf
All entries change host to hostssl. local stays for unix socket. password_encryption = scram-sha-256.
Step 4: Reload
systemctl reload postgresql. Test with psql sslmode=verify-full and a CA bundle.
Step 5: Client Cert (optional)
For replication peer add hostssl replication replicator 10.0.0.0/24 cert clientcert=verify-full. Issue per-peer client cert from your CA.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.