| From: | wilfried roset <wilfried(dot)roset(at)gmail(dot)com> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Subject: | Re: PROXY protocol support |
| Date: | 2022-04-01 22:16:59 |
| Message-ID: | 164885141909.1182.16644150267648497596.pgcf@coridan.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
I've been able to test the patch. Here is a recap of the experimentation.
# Setup
All tests have been done witch 3 VMs (PostgreSQL, HAproxy, psql client) on
Debian 11 communicating over private network.
* PostgreSQL have been built with proxy_protocol_11.patch applied on master branch (465ab24296).
* psql client is from postgresql-client-13 from Debian 11 repository.
* HAproxy version used is 2.5.5-1~bpo11+1 installed from https://haproxy.debian.net
# Configuration
PostgresSQL has been configured to listen only on its private IP. To enable
proxy protocol support `proxy_port` has been configured to `5431` and
`proxy_servers` to `10.0.0.0/24`. `log_connections` has been turned on to make
sure the correct IP address is logged. `log_min_duration_statement` has been
configured to 0 to log all queries. Finally `log_destination` has been
configured to `csvlog`.
pg_hba.conf is like this:
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
host all all 10.0.0.208/32 md5
Where 10.0.0.208 is the IP host the psql client's VM.
HAproxy has two frontends, one for proxy protocol (port 5431) and one for
regular TCP traffic. The configuration looks like this:
listen postgresql
bind 10.0.0.222:5432
server pg 10.0.0.253:5432 check
listen postgresql_proxy
bind 10.0.0.222:5431
server pg 10.0.0.253:5431 send-proxy-v2
Where 10.0.0.222 is the IP of HAproxy's VM and 10.0.0.253 is the IP of
PostgreSQL's VM.
# Tests
* from psql's vm to haproxy on port 5432 (no proxy protocol)
--> connection denied by pg_hba.conf, as expected
* from psql's vm to postgresql's VM on port 5432 (no proxy protocol)
--> connection success with psql's vm ip in logfile and pg_stat_activity
* from psql's vm to postgresql's VM on port 5431 (proxy protocol)
--> unable to open a connection, as expected
* from psql's vm to haproxy on port 5431 (proxy protocol)
--> connection success with psql's vm ip in logfile and pg_stat_activity
I've also tested without proxy protocol enable (and pg_hba.conf updated
accordingly), PostgreSQL behave as expected.
# Conclusion
From my point of view the documentation is clear enough and the feature works
as expected.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nathan Bossart | 2022-04-01 22:24:22 | Re: [Proposal] vacuumdb --schema only |
| Previous Message | Nathan Bossart | 2022-04-01 22:06:48 | use has_privs_of_role() for pg_hba.conf |