DocsICP FilingConsole
官方文档
首页

Enable HTTPS access for RDS Supabase

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to configure an SSL certificate for your RDS Supabase instance to enable HTTPS access.

Background

By default, RDS Supabase provides an HTTP endpoint (port 80) for basic application development and debugging. However, in a production environment or in scenarios that require high data-in-transit security, using the encrypted HTTPS protocol (port 443) is essential to protect data and prevent man-in-the-middle attacks.

RDS Supabase supports uploading a custom SSL certificate to enable HTTPS access. Once configured, the instance supports both HTTP and HTTPS, allowing you to choose the appropriate protocol and enhance your service's security.

Prerequisites

Before you begin, ensure that the following requirements are met:

  • An RDS Supabase instance has been successfully created and its status is Running. If you need to create an instance, see Create an RDS Supabase Project.

  • You have an SSL certificate file and a private key file that match the public endpoint of the instance.

    • Production environment (recommended): Purchase or request an SSL certificate from a trusted Certificate Authority (CA). For best compatibility, choose the RSA encryption algorithm (for example, RSA 2048-bit) when you request the certificate. The certificate set typically includes a certificate file with a .pem or .crt extension and a private key file with a .key extension.

    • Test environment: For testing, you can generate a self-signed certificate. This topic uses the mkcert tool as an example. Note that a self-signed certificate is not trusted by browsers or clients and should be used only for development and testing. Do not use a self-signed certificate in a production environment.

Procedure

Step 1: Get the public IP address

  1. Log on to the RDS console. In the left-side navigation pane, click AI App Development Supabase.

  2. In the top navigation bar, select a region. Then, click the ID of the target instance to open the Basic Information page.

  3. In the Network Information section, find and record the Outside the network connection address. You will use the IP address portion of this endpoint to generate the certificate.

Step 2: Prepare an SSL certificate

Important

The self-signed certificate described in this section is for demonstration purposes only. In a production environment, you must use a valid certificate obtained from a trusted CA.

This example uses the mkcert tool to generate a self-signed certificate for the instance's public IP address on your local machine.

  1. Install mkcert on your local development machine. The following example uses macOS and Homebrew:

    brew install mkcert

  2. Install a local CA and generate a root certificate. This command adds the root certificate to your system's trust store, making certificates from this CA trusted on your local machine.

    mkcert -install

  3. Generate a certificate for the instance's public IP address. Replace <public IP address from Step 1> in the command with the actual public IP address of your instance. Do not include the port number.

    mkcert 127.0.0.1 <public IP address from Step 1> ::1 localhost my-dev.local

    Example: mkcert 127.0.0.1 47.98.xx.xx ::1 localhost my-dev.local.

    After the command succeeds, the certificate and private key files are saved as ./127.0.0.1+4.pem and ./127.0.0.1+4-key.pem, respectively.

Step 3: Configure the SSL certificate

  1. Return to the Basic Information page of your RDS Supabase instance.

  2. In the Network Information section, find the SSL Encryption setting and click the switch to enable it.

  3. In the SSL Settings dialog box, configure the following fields:

    • Server Certificate: Open the certificate file (for example, 127.0.0.1+4.pem), and copy and paste its full content into this text box.

    • Server Private Key: Open the private key file (for example, 127.0.0.1+4-key.pem), and copy and paste its full content into this text box.

  4. Verify that the information is correct and click OK.

    Note

    After you submit the configuration, the instance automatically restarts to apply the SSL settings. The restart causes a brief service interruption.

Step 4: Configure the IP whitelist

To allow clients to connect to the instance, you must add their public IP addresses to the instance's IP whitelist.

  1. On the instance's Basic Information page, navigate to the White list information section.

  2. In the White list information section, select the target whitelist group and click Modify, or click Create Whitelist.

  3. In the White list IP address: text box, enter the IP addresses or CIDR blocks that are allowed to access the instance. For example, 0.0.0.0/0 allows access from all IP addresses. This configuration poses a security risk and is recommended only for a test environment.

  4. Click OK to add the new IP addresses.

Step 5: Verify HTTPS access

  1. Wait until the instance status returns to Running.

  2. Go back to the Basic Information page of the instance. In the Network Information section, a new link that starts with https and uses port 443 is added under Outside the network connection address. The address that uses port :443 is the HTTPS link, and the address that uses port :80 is the HTTP link.

  3. Click the HTTPS link.

    • If you are using a valid certificate issued by a CA, your browser opens the Supabase welcome page directly.

    • If you are using a self-signed certificate, your browser displays a security warning, such as "Your connection is not private". This is expected behavior. You can bypass this warning to access the page (the specific wording for this action varies by browser).

  4. You can also click the original HTTP link to verify that access on port 80 is still available.

You have now successfully enabled HTTPS access for your RDS Supabase instance.

Costs and risks

  • Costs

    • RDS Supabase instance fees: Charges are based on the selected instance type and subscription duration.

    • SSL certificate fees: Enabling the SSL feature is free. However, you must pay for commercial SSL certificates. Self-signed and free certificates have no cost.

  • Risks

    • Service interruption: After you configure or update an SSL certificate, the instance automatically restarts. This causes a brief service interruption that typically lasts for several minutes. Perform this operation during off-peak hours or a scheduled maintenance window.

    • Certificate configuration errors: If the uploaded certificate does not match the private key, or if their content or format is incorrect, the HTTPS service may fail to start. Always double-check the certificate and key before applying the configuration.

    • Certificate expiration: All SSL certificates have an expiration date. You must monitor the expiration date and renew the certificate in advance. An expired certificate will interrupt HTTPS access.

    • Security risks of self-signed certificates: Using a self-signed certificate in a production environment poses a significant security risk. It does not provide valid identity verification and may train users to ignore browser security warnings. Never use a self-signed certificate in a production environment. It is intended for internal development and testing only.

Previous:Implement RAG using the rds_ai extensionNext:RDS Supabase MCP User Guide