Add SSL Support for MariaDB (#3444)

* Add ssl options for mariadb * Add ssl mode for mariadb Add ssl mode as documented in https://mysqlclient.readthedocs.io/user_guide.html#functions-and-attributes * run linting over settings.py * Add docs for SSL mode with MariaDB --------- Co-authored-by: shamoon <4887959+shamoon@users.noreply.github.com>
2025-10-30 03:56:23 -05:00 · 2023-05-22 20:46:29 +02:00
parent 07e07fc7e8
commit 30f73f39a0
2 changed files with 32 additions and 7 deletions
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -83,21 +83,29 @@ changed here.

 `PAPERLESS_DBSSLMODE=<mode>`

-: SSL mode to use when connecting to PostgreSQL.
+: SSL mode to use when connecting to PostgreSQL or MariaDB.

    See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).

-    Default is `prefer`.
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode).
+
+    *Note*: SSL mode values differ between PostgreSQL and MariaDB.
+
+    Default is `prefer` for PostgreSQL and `PREFERRED` for MariaDB.

 `PAPERLESS_DBSSLROOTCERT=<ca-path>`

 : SSL root certificate path

    See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
    Changes path of `root.crt`.

+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-ca).
+
    Defaults to unset, using the documented path in the home directory.

 `PAPERLESS_DBSSLCERT=<client-cert-path>`
@@ -105,7 +113,11 @@ changed here.
 : SSL client certificate path

    See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-cert).
+
    Changes path of `postgresql.crt`.

    Defaults to unset, using the documented path in the home directory.
@@ -115,7 +127,11 @@ changed here.
 : SSL client key path

    See [the official documentation about
-    sslmode](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+
+    See [the official documentation about
+    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-key).
+
    Changes path of `postgresql.key`.

    Defaults to unset, using the documented path in the home directory.
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -506,7 +506,16 @@ if os.getenv("PAPERLESS_DBHOST"):
    # Leave room for future extensibility
    if os.getenv("PAPERLESS_DBENGINE") == "mariadb":
        engine = "django.db.backends.mysql"
-        options = {"read_default_file": "/etc/mysql/my.cnf", "charset": "utf8mb4"}
+        options = {
+            "read_default_file": "/etc/mysql/my.cnf",
+            "charset": "utf8mb4",
+            "ssl": {
+                "ssl_mode": os.getenv("PAPERLESS_DBSSLMODE", "PREFERRED"),
+                "ca": os.getenv("PAPERLESS_DBSSLROOTCERT", None),
+                "cert": os.getenv("PAPERLESS_DBSSLCERT", None),
+                "key": os.getenv("PAPERLESS_DBSSLKEY", None),
+            },
+        }

        # Silence Django error on old MariaDB versions.
        # VARCHAR can support > 255 in modern versions