[FEAT] Support TLS connection for MariaDB in Docker setup

[sylvainblanchouin]

Is this a new feature request?

• I have searched the existing issues

Wanted change

Description

I would like to request support for secure TLS connections between BookStack (Docker setup) and a MariaDB database.

Currently, it appears that configuring a TLS-secured connection to MariaDB is either not documented or not fully supported in the official Docker setup.

Use case

In production environments, enforcing encrypted connections to the database is often required for security and compliance reasons. Using plain connections (non-TLS) can be a blocker in such environments.

Expected behavior

It should be possible to configure BookStack (via environment variables or configuration files) to connect to MariaDB using TLS, including:

• Providing CA certificate
• Optional client certificate and key
• Enforcing SSL mode (e.g. REQUIRED, VERIFY_CA, VERIFY_IDENTITY)

Suggested implementation

• Support additional environment variables such as:

      DB_SSL_CA
      DB_SSL_CERT
      DB_SSL_KEY
      DB_SSL_MODE
  

• Ensure these parameters are passed to the underlying database connection (Laravel / PDO)

Environment

BookStack version: 26.03.3
Docker setup: official image
MariaDB version: 10.11.16

Reason for change

MariaDB supports TLS connections and this is commonly used in containerized and cloud environments. Adding this support would improve security posture for production deployments.

Proposed code change

No response

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[aptalca]

Our recommended setup has bookstack accessing mariadb over the docker network that only those two containers share. No ports are mapped for mariadb, no external access. I don't believe using ssl would add much benefit, if anything, it would add overhead.

[sylvainblanchouin]

Thanks for your feedback.

I understand the recommended setup with a dedicated internal Docker network, which makes sense for simple deployments.

However, in my infrastructure, I’m using a centralized MariaDB Galera cluster to host multiple application databases. This allows me to:

• centralize database management
• handle backups consistently
• ensure high availability across services

In this context, BookStack is not running with a local MariaDB container but connects to this external cluster. Since connections may traverse networks beyond a single Docker bridge, enforcing TLS is required for security and compliance reasons.

That’s why having native TLS support in the Docker setup (or at least documented configuration options) would be very helpful for deployments like mine.

Thanks again for considering this use case.