Skip to main content
DCDeploy provides a TCP Proxy feature to expose databases and custom TCP-based services securely.
When SSL is enabled, all traffic between your client and the service is encrypted, ensuring data confidentiality and integrity.

​
Overview

  • Secure database connections using SSL/TLS.
  • Works with Postgres, MySQL, MongoDB, Redis, and other TCP-based services.
  • Certificates are automatically issued and managed by DCDeploy.
  • Supports both public TCP URLs and private network connections.

​
Use Cases

  • Connect to databases from external clients securely.
  • Enforce SSL-only connections for compliance and security.
  • Protect sensitive workloads (e.g., financial, healthcare, production apps).

​
Enabling SSL for TCP Proxy

When exposing a database/service over TCP, enable SSL in your service configuration.
  • exposeTCP: true → Enables public TCP proxy.
  • ssl: true → Enforces SSL for connections.

​
Connecting to Databases with SSL

Postgres Example 
psql "host=my-db.DCDeploy.cloud port=5432 dbname=mydb user=myuser password=mypass sslmode=require"
MySQL Example 
mysql --host=my-db.DCDeploy.cloud --port=3306 --user=myuser --password --ssl-mode=REQUIRED
MongoDB Example 
mongo "mongodb://myuser:mypass@my-db.DCDeploy.cloud:27017/mydb?ssl=true"

​
Using SSL Certificates

Some clients require explicit SSL certificates for validation. DCDeploy provides:
  • CA Certificate – to verify server identity.
  • Client Certificate & Key – for mutual TLS (optional).
Download from the DCDeploy dashboard → Database → SSL Certificates. Example: 
psql "host=my-db.DCDeploy.cloud port=5432 dbname=mydb user=myuser password=mypass sslmode=verify-full sslrootcert=ca.pem"
Example: Node.js (Postgres with SSL) 
import { Client } from 'pg';
import fs from 'fs';

const client = new Client({
  host: 'my-db.DCDeploy.cloud',
  port: 5432,
  database: 'mydb',
  user: 'myuser',
  password: 'mypass',
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync('./ca.pem').toString(),
  },
});

await client.connect();

​
Troubleshooting

  • SSL connection error
    • Ensure sslmode=require or equivalent flag is set.
    • Check if the CA certificate is loaded correctly.
  • Timeouts
    • Verify the service is exposed with exposeTCP: true.
    • Check firewall or VPN restrictions.
  • Self-signed certificate errors
    • Use sslmode=verify-full with the provided CA cert.

​
Best Practices

  • Always enable SSL for external TCP connections.
  • Use private networking if clients are inside the same DCDeploy environment.
  • Rotate client certificates periodically.
  • Enforce mutual TLS for sensitive workloads.