diff --git a/lib/db-postgres.ts b/lib/db-postgres.ts
index efed172..40795ac 100644
--- a/lib/db-postgres.ts
+++ b/lib/db-postgres.ts
@@ -10,13 +10,28 @@ const DATABASE_URL = process.env.DATABASE_URL ||
 
 let pool: Pool | null = null;
 
+// Internal Docker network connections (Coolify) don't use SSL.
+// Only enable SSL for external/RDS/cloud DB connections.
+function getSslConfig() {
+  const url = DATABASE_URL;
+  if (!url) return undefined;
+  // Internal Docker hostnames never use SSL
+  if (url.includes('localhost') || url.includes('127.0.0.1') || 
+      /postgresql:\/\/[^@]+@[a-z0-9_-]+:\d+\//.test(url)) {
+    return undefined;
+  }
+  // External cloud DBs (RDS, AlloyDB, etc.) need SSL
+  if (process.env.DB_SSL === 'true') {
+    return { rejectUnauthorized: false };
+  }
+  return undefined;
+}
+
 export function getPool() {
   if (!pool) {
     pool = new Pool({
       connectionString: DATABASE_URL,
-      ssl: process.env.NODE_ENV === 'production' ? {
-        rejectUnauthorized: false,
-      } : undefined,
+      ssl: getSslConfig(),
       max: 20,
       idleTimeoutMillis: 30000,
       connectionTimeoutMillis: 2000,