SSL and SSH tunnel
ide99 supports all standard Postgres SSL modes plus connecting through an SSH tunnel — for cases when the database isn't reachable directly from outside.
SSL Mode
The parameter controls how the client negotiates encryption with the server. Same sslmode as in libpq.
| Mode |
Encryption |
Cert verification |
When to use |
disable |
no |
no |
Local only, when Postgres explicitly runs without TLS |
allow |
if server requires |
no |
Legacy configs, not recommended |
prefer |
if possible |
no |
Default. Fine for most managed databases |
require |
yes |
no |
Guarantees encryption, but doesn't verify who you connect to |
verify-ca |
yes |
CA only |
MITM protection when you have a corporate CA |
verify-full |
yes |
CA + hostname |
Strictest — recommended for prod |
Most managed Postgres (Supabase, Neon, AWS RDS, Yandex) require at least require. For critical prod databases use verify-full and put the CA file into the system keychain.
CA certificate
When verify-ca or verify-full is selected, ide99 uses your OS's CA store. If your server uses a private CA (e.g., Yandex Cloud publishes its own root.crt), download and install it:
macOS
sudo security add-trusted-cert -d -r trustRoot \
-k /Library/Keychains/System.keychain ~/Downloads/root.crt
Linux (Ubuntu/Debian)
sudo cp ~/Downloads/root.crt /usr/local/share/ca-certificates/yandex-root.crt
sudo update-ca-certificates
Windows
Double-click the .crt → Install Certificate → Local Machine → Trusted Root Certification Authorities.
After installing the CA, verify-full will start working.
SSH tunnel
If Postgres isn't reachable directly from your machine (closed VPC, corporate bastion), use an SSH tunnel: connect to the bastion via SSH and reach the database through it.
In v1.0, ide99 doesn't ship a built-in SSH client. Use the system ssh -L:
ssh -L 5433:db-internal.example.com:5432 user@bastion.example.com
This forwards local port 5433 through the bastion to the internal host db-internal.example.com:5432. Keep the tunnel open (don't close the terminal).
In ide99 you set the connection to:
- Host:
localhost
- Port:
5433 (the local side of the colon)
- Other fields — for the target database
Persistent use is more convenient via ~/.ssh/config:
Host db-tunnel
HostName bastion.example.com
User user
LocalForward 5433 db-internal.example.com:5432
ServerAliveInterval 60
Then ssh db-tunnel opens the tunnel and you can hang it on autostart.
A built-in SSH tunnel is planned for one of the next releases — that'll remove the need to keep a terminal open.
SCRAM-SHA-256, MD5
ide99 negotiates the auth method automatically with the server. Anything Postgres 12+ supports is supported: trust, password, md5, scram-sha-256. No client-side configuration needed.
Certificate-based auth (mTLS)
If your server requires a client cert (common in enterprise setups): there's no UI yet for client cert/key in the connection form, expected in a future release. Until then, set PGCLIENTCERT, PGCLIENTKEY env vars before launching ide99 — the Postgres driver will pick them up.
Next