Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.nearbase.dev/llms.txt

Use this file to discover all available pages before exploring further.

IP Allowlist

Every Nearbase instance has an IP allowlist that controls which IP addresses are permitted to connect. By default, all IPs are allowed (0.0.0.0/0). For production databases, restrict this to only the IPs your application servers use.

Viewing and Editing the Allowlist

  1. Open the instance in the console.
  2. Go to the Security tab.
  3. You’ll see the current list of allowed IP addresses and CIDR ranges.
  4. Add or remove entries as needed, then save.

Allowlist Format

Entries can be individual IPs or CIDR ranges:
EntryDescription
203.0.113.42Allow a single IP address
203.0.113.0/24Allow an entire subnet
0.0.0.0/0Allow all IPs (default — not recommended for production)
Leaving 0.0.0.0/0 in the allowlist means your database port is reachable from any IP on the internet. It is still protected by password authentication and SSL, but removing broad allowlist entries adds an extra layer of defense.
For most deployments, allowlist only your application servers’ outbound IPs:
  • Single server: add its static IP.
  • Cloud provider (e.g., AWS, GCP): add your NAT gateway or egress IP range.
  • Local development: add your workstation’s IP temporarily. Remove it when done.
If your application runs on a service that does not have a static IP, consider routing database traffic through a NAT gateway or VPN with a fixed egress IP.

SSL / TLS

All Nearbase databases enforce TLS encryption in transit. Connections without SSL are rejected at the server level — there is no way to disable this.

Encryption at Rest

Data stored on disk is encrypted at rest using AES-256 encryption managed by the underlying cloud infrastructure.

Certificate Verification

When connecting with sslmode=require, the driver encrypts the connection but does not verify the server certificate. For stricter verification use sslmode=verify-full with a trusted CA bundle, or rely on sslmode=require which is sufficient for most applications. 
# Require SSL (recommended default)
psql "host={instance-id}.pg.nearbase.app port=5432 dbname=postgres user=admin password={password} sslmode=require"

Password Management

Your instance’s admin password is set during provisioning and displayed once in the console. Store it securely in your application’s secret management system (e.g., environment variables, a secrets manager like AWS Secrets Manager or HashiCorp Vault). If you need to reset your password, contact team@nearbase.dev.