From 3ce10dc45b042554b204ba73ebb976ece0d3aad4 Mon Sep 17 00:00:00 2001
From: Mark Henderson <mark@getacquired.com>
Date: Fri, 27 Feb 2026 13:01:57 -0800
Subject: [PATCH] =?UTF-8?q?fix:=20remove=20SSL=20for=20internal=20Docker?=
 =?UTF-8?q?=20DB=20connections=20=E2=80=94=20fixes=20500=20on=20projects?=
 =?UTF-8?q?=20API?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Made-with: Cursor
---
 lib/db-postgres.ts | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/lib/db-postgres.ts b/lib/db-postgres.ts
index efed172..40795ac 100644
--- a/lib/db-postgres.ts
+++ b/lib/db-postgres.ts
@@ -10,13 +10,28 @@ const DATABASE_URL = process.env.DATABASE_URL ||
 
 let pool: Pool | null = null;
 
+// Internal Docker network connections (Coolify) don't use SSL.
+// Only enable SSL for external/RDS/cloud DB connections.
+function getSslConfig() {
+  const url = DATABASE_URL;
+  if (!url) return undefined;
+  // Internal Docker hostnames never use SSL
+  if (url.includes('localhost') || url.includes('127.0.0.1') || 
+      /postgresql:\/\/[^@]+@[a-z0-9_-]+:\d+\//.test(url)) {
+    return undefined;
+  }
+  // External cloud DBs (RDS, AlloyDB, etc.) need SSL
+  if (process.env.DB_SSL === 'true') {
+    return { rejectUnauthorized: false };
+  }
+  return undefined;
+}
+
 export function getPool() {
   if (!pool) {
     pool = new Pool({
       connectionString: DATABASE_URL,
-      ssl: process.env.NODE_ENV === 'production' ? {
-        rejectUnauthorized: false,
-      } : undefined,
+      ssl: getSslConfig(),
       max: 20,
       idleTimeoutMillis: 30000,
       connectionTimeoutMillis: 2000,