Database Connections
QueryGlow supports 6 databases with built-in SSH tunnels for secure remote access. All credentials are encrypted at rest using AES-256-GCM.
Supported Databases
Which Method Should I Use?
| Your Setup | Connection Method | SSL? |
|---|---|---|
| Database on same server as QueryGlow | localhost | No |
| Your own VPS (Hetzner, DigitalOcean, etc.) | SSH Tunnel | No (tunnel encrypts) |
| Cloud database (Supabase, RDS, Neon, etc.) | Direct connection | Yes (required) |
Scenario 1: Database on Same Server
QueryGlow and your database are on the same machine. This is the simplest setup.
Connection Settings
localhost5432 (or 3306 for MySQL)NoOffQueryGlow uses network_mode: host in production, so it can access localhost services directly.
Scenario 2: Your Own VPS (SSH Tunnel)Recommended
Your database is on a remote server you control. The database port is NOT exposed to the internet (correct security!). SSH Tunnel lets QueryGlow connect securely through your existing SSH access.
Why SSH Tunnel?
Your properly-secured VPS firewall should look like this:
80/tcp ALLOW # HTTP
443/tcp ALLOW # HTTPS
# Port 5432 is NOT listed = blocked ✓
SSH Tunnel "teleports" QueryGlow inside your server, where it can access the database on localhost.
How to Configure
- Open the New Connection dialog.
- Toggle "Connect via SSH Tunnel" ON.
- Enter your SSH details:
- SSH Host: Your server's public IP (e.g.,
168.119.x.x) - SSH Port:
22(default) - SSH Username: Your server user (e.g.,
root,ubuntu,deploy) - SSH Private Key: Paste the full contents of your private key (must be without passphrase)
- SSH Host: Your server's public IP (e.g.,
- Configure the database connection:
Host:
localhostor127.0.0.1Port:
5432SSL:
No(SSH encrypts the connection)Use
localhostbecause you're "inside" the server through the tunnel.
⚠️ Passphrase-protected keys are not supported. QueryGlow connects programmatically without interactive input. Generate a passphrase-less key for QueryGlow:
ssh-keygen -t ed25519 -f ~/.ssh/queryglow_key -N "" cat ~/.ssh/queryglow_key.pub >> ~/.ssh/authorized_keys cat ~/.ssh/queryglow_key # Copy this into QueryGlow
Scenario 3: Cloud Database (Direct + SSL)
Managed databases like Supabase, AWS RDS, Neon, or PlanetScale. You don't have SSH access—the provider manages security.
Connection Settings
db.xxx.supabase.co5432Yes ✓OffGet your host, username, and password from your provider's dashboard (Connection Details or Connection String section).
Supabase
Settings → Database → Connection string
Neon
Dashboard → Connection Details
PlanetScale
Connect → General → Copy credentials
AWS RDS
RDS Console → Connectivity & security
Environment Color Coding
Every connection has an Environment setting. This adds visual indicators to help prevent accidental changes to production data.
Tip: Combined with Safe Mode, these visual cues help prevent accidental DROP TABLE or mass DELETE operations.
SQLite Configuration
Security: Path Restriction
For security, SQLite database paths are restricted to the /app/data directory inside the container. This prevents path traversal attacks.
How to Use SQLite
- Copy your SQLite file to the QueryGlow data directory:cp /path/to/your.db ~/queryglow/data/
- In QueryGlow, connect using the container path:/app/data/your.db
- To create a new database, just specify a path that doesn't exist yet. QueryGlow will create it.
CockroachDB Tip
Connection timeout? If you see "Timeout acquiring a connection", change localhost to 127.0.0.1. This avoids IPv6/IPv4 mismatch issues.
Credential Security
- ✓Encrypted at rest: Passwords and SSH keys are encrypted using AES-256-GCM before storage.
- ✓Unique per installation: Encryption uses your
SESSION_SECRETas the key. - ✓Tamper-proof: GCM mode detects if stored credentials have been modified.