How to securely host a pg DB for better auth
I have a server I want to host Postgress for Better Auth.
The internet keeps telling me "Don't expose your DB to the internet", but my website is on Vercel; which is on the internet.
I could expose my Postgress LXC-container to the internet, but that seems like bad practice.
I could proxy the requests with something like Nginx, but I fail to see how that would improve the security, the requests are just proxied.
Something like PostgREST seems to securely expose the DB to the internet, but it dosen't seem like Better Auth would work with PostgREST
I just need a way to connect the DB on my own server to vercel for auth, but for some reason this seems very complicated. Or I'm just not getting something 😅
6 Replies
At the end of the day, all databases are exposed to the internet.
The difference is the rate-limiting, security systems, and other things in place to make sure a request to modify/update the DB is valid and fine.
Regarding using pg for Better-auth, it should be relatively simple, just follow our docs:
https://www.better-auth.com/docs/adapters/postgresql
Then you should find a way to host your postgres DB, you can watch youtube videos or something to figure that out.
This pg DB should come with your postgres connection string, which (as per our docs), you would put in your auth config for the
new Pool.
This connection string would be on the server side of your vercel app, and not exposed on the internet.PostgreSQL | Better Auth
Integrate Better Auth with PostgreSQL.
Could you just allow all AWS IPs? as Vercel is most likely using AWS
https://ip-ranges.amazonaws.com/ip-ranges.json
Dosen't seem like that would be very secure, allot of attacks come from AWS infra.
The AWS I assume are at least partily dynamic (changing), which would require me to regularly manually update my IP list
Well, you could set up a cron job to update the IP list every x hours, but yes
Pretty stupid that Vercel only allows static IPs for business users
Have a look @ https://vercel.com/docs/secure-compute. If you are not a enterprise customer they say this: For Pro customers, a range cannot be defined and you must allow all internet traffic. If you wish to restrict access, we recommend using complex passwords and/or a custom header on your outbound requests that can be verified by your backend and set to reject traffic that doesn't contain this header. (source: https://vercel.com/guides/how-to-allowlist-deployment-ip-address)
My two cents, create a dev db user for running migrations etc and only allow for your personal ip, Create a prod user that has access to only what it needs down to the columns if you want, Password should be complex and long allow all IPs as its a vercel requirement
Also keep logs LOTS of logs that way you can identify if anything is misconfigured and being exploited