Connecting Next.js with server actions to database with Internal Connection URL

[milanpanin]

To Reproduce

After I created the Next application and deployed it to Dokploy and connected to the Dokploy database (PostgreSQL), communication works if I connect via an external connection string, but when I change that connection string to internal in the environment, then the build of Next application crashes.

Current vs. Expected behavior

I expect to have a connection to the database through internal communication on the server and not through the Internet. I see internet connect to databse as a huge security flaw.

Provide environment information

Ubuntu, Hetzner cax11 4gb.

Error in dokploy after I made change in ENV from external to internal connection string...

Initializing deployment
Build heroku_buildpacks: ✅
Source Type: github: ✅
24: Pulling from heroku/builder
Digest: sha256:11c05fd10f421614227b72ad21c5e0d44ca3ca1a3e1f6592da92f039e09d33f9
Status: Image is up to date for heroku/builder:24
24: Pulling from heroku/heroku
Digest: sha256:b2e3a768f6a89d3c47def9bda468b15eb9ba66ca4973e05546417b99bdefe94a
Status: Image is up to date for heroku/heroku:24
===> ANALYZING
Restoring data for SBOM from previous image
===> DETECTING
2 of 5 buildpacks participating
heroku/nodejs-engine      3.2.14
heroku/nodejs-npm-install 3.2.14
===> RESTORING
Restoring metadata for "heroku/nodejs-engine:web_env" from app image
Restoring metadata for "heroku/nodejs-engine:dist" from app image
Restoring metadata for "heroku/nodejs-engine:node_runtime_metrics" from app image
Restoring metadata for "heroku/nodejs-npm-install:npm_runtime_config" from app image
Restoring metadata for "heroku/nodejs-npm-install:npm_cache" from cache
Restoring data for "heroku/nodejs-engine:dist" from cache
Restoring data for "heroku/nodejs-npm-install:npm_cache" from cache
===> BUILDING

[Heroku Node.js Engine Buildpack]

[Checking Node.js version]
Node.js version not specified, using 20.x
Resolved Node.js version: 20.17.0

[Installing Node.js distribution]
Reusing Node.js 20.17.0 (linux-arm64)
Installing application metrics scripts

# Heroku Node.js npm Install Buildpack

- Installing node modules
  - Using npm version `10.8.2`
  - Restoring npm cache
  - Configuring npm cache directory
  - Running `npm ci "--production=false"`

      npm warn config production Use `--omit=dev` instead.
      
      added 52 packages, and audited 53 packages in 6s
      
      3 packages are looking for funding
        run `npm fund` for details
      
      found 0 vulnerabilities
            
  - Done (6.321s)
- Running scripts
  - Running `npm run build`

      
      > [email protected] build
      > next build
      
      Attention: Next.js now collects completely anonymous telemetry regarding usage.
      This information is used to shape Next.js' roadmap and prioritize features.
      You can learn more, including how to opt-out if you'd not like to participate in this anonymous program, by visiting the following URL:
      https://nextjs.org/telemetry
      
        ▲ Next.js 14.2.13
      
         Creating an optimized production build ...
       ✓ Compiled successfully
         Linting and checking validity of types ...
         Collecting page data ...
         Generating static pages (0/4) ...
         Generating static pages (1/4) 

         Generating static pages (2/4) 

         Generating static pages (3/4) 

      Error: getaddrinfo EAI_AGAIN testing-test-2b746e
          at /workspace/node_modules/pg-pool/index.js:45:11
          at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
          at async e (/workspace/.next/server/app/page.js:1:2507)
          at async a (/workspace/.next/server/app/page.js:1:2581) {
        errno: -3001,
        code: 'EAI_AGAIN',
        syscall: 'getaddrinfo',
        hostname: 'testing-test-2b746e',
        digest: '2404072697'
      }
      Error: getaddrinfo EAI_AGAIN testing-test-2b746e
          at /workspace/node_modules/pg-pool/index.js:45:11
          at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
          at async e (/workspace/.next/server/app/page.js:1:2507)
          at async a (/workspace/.next/server/app/page.js:1:2581) {
        errno: -3001,
        code: 'EAI_AGAIN',
        syscall: 'getaddrinfo',
        hostname: 'testing-test-2b746e',
        digest: '2404072697'
      }
      Error: getaddrinfo EAI_AGAIN testing-test-2b746e
          at /workspace/node_modules/pg-pool/index.js:45:11
          at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
          at async e (/workspace/.next/server/app/page.js:1:2507)
          at async a (/workspace/.next/server/app/page.js:1:2581) {
        errno: -3001,
        code: 'EAI_AGAIN',
        syscall: 'getaddrinfo',
        hostname: 'testing-test-2b746e',
        digest: '2404072697'
      }
      
      Error occurred prerendering page "/". Read more: https://nextjs.org/docs/messages/prerender-error
      
      Error: getaddrinfo EAI_AGAIN testing-test-2b746e
          at /workspace/node_modules/pg-pool/index.js:45:11
          at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
          at async e (/workspace/.next/server/app/page.js:1:2507)
          at async a (/workspace/.next/server/app/page.js:1:2581)
       ✓ Generating static pages (4/4)
      
      > Export encountered errors on following paths:
      	/page: /
            
  - Done (17.285s)
- Debug info
  - Command failed `npm run build`
    exit status: 1
    stdout: <see above>
    stderr: <see above>

! Failed to execute build script.
!
! The `Heroku Node.js npm Install Buildpack` allows customization of the build process by executing the following scripts if they are defined in `package.json`:
! - `heroku-prebuild` 
! - `heroku-build` or `build` 
! - `heroku-postbuild`
!
! An unexpected error occurred while executing `npm run build`. See the log output above for more information.
!
! Ensure that this command runs locally without error and retry your build.

ERROR: failed to build: exit status 1
ERROR: failed to build: executing lifecycle: failed with status code: 51
Error ❌
ERROR: failed to build: executing lifecycle: failed with status code: 51

Which area(s) are affected? (Select all that apply)

Application, Docker Compose, Docker

Additional context

I'll pass the repository of an example Next application that accesses the database. It is necessary to set the environment variable in the Dokploy to the database for access. Varaible name: DATABASE_URL

https://github.com/milanpanin/test-dokploy

[milanpanin]

@Siumauricio Do you have any suggestions on how to fix this problem?

[sangdth]

I think I also face this issue, so if this is not intentional then it is a huge bug :(

[Siumauricio]

The error is normal to happen, one way to solve it is to use an internal network so that the services can communicate, I know nixpacks has an open issue railwayapp/nixpacks#1057, I do not know if heroku has an option to pass a custom network, the only way to solve that could be using your own custom Dockerfile

[joshfester]

@Siumauricio how do you setup an internal network for the app and database to communicate? I don't see anything in Dokploy or the documentation about it

[Siumauricio]

Still no solution @joshfester, the only way is to expose the database to the internet, I have to add some way to pass a custom command to the dockerfile, since nixpacks or heroku doesn't accept custom networks.

[joshfester]

Thanks @Siumauricio , would you expect it to work with a Dockerfile or maybe Docker Compose?

[Siumauricio]

docker/buildx#175 and moby/buildkit#978

I think there is no optimal way, according to what I investigated is that you can not specify a network because of buildkit, buildkit uses many caching features, secrets, the only way to solve this problem is disabling DOCKER_BUILDKIT=0 and adding a network flag to the dockerfile builder, because heroku nixpacks doesn't support networks, but we will lose all those features, at the moment there is no optimal solution, so the only way is exposing the database,

I have been trying with Dockerfile, but the problem is what I said above @joshfester

I think it is more a limitation of docker than of dokploy itself, since dokploy is a very fine wrapper over docker.

[milanpanin]

@Siumauricio And from your perspective, do you view the exposure of the database as a major security breach or not? Would you recommend going into production with such a database? In comparison with, for example, the Neon project, which allows connection to their remote databases in the same way, everything tells me that this is not a problem, but I would like to hear your opinion.

[sangdth]

IMO it is less secure, yes, but I do not consider it as a major breach. There are many companies that sell PostgresQL as a service, and after paying them, they provide us nothing more than a database URL.

[Siumauricio]

I agree with @sangdth , it is less secure as it does not use any encryption, only the security of the database password.

I think implementing encryption to the database I think would be more secure.

[JuanM04]

I've managed to do it by exposing the database through some port and accessing it with the VPS public IP. For security, I blocked that port with the firewall, so no one could access it from outside.

Also, it would be nice if something could be implemented with railwayapp/nixpacks#1119

[Siumauricio]

Actually that's a very good idea, good solution! @JuanM04

[Sparo]

I’m not sure if this could be a solution, but I connected two services within the project by linking them to an external Docker network. I manually created the Docker network on the VPS with docker network create --driver overlay --attachable my_external_network, and then I created each service using a Docker Compose file, attaching them to the previously created external network. The services could see each other normally, and everything works.

Perhaps a good feature would be to allow the creation of external networks within Dokploy that are completely separate from any stack. These networks could then be reusable for other services as needed. Just saying it maybe could be like interesting idea.

I am new to Dokploy, so maybe I am missing something.

Note: None of the services are publicly accessible except through the Traefik reverse proxy.