Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing

From: Lukas Meisegeier <MeisegeierLukas(at)gmx(dot)de>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing
Date: 2020-12-10 15:49:35
Message-ID: 37846a5e-bb5e-0c4f-3ee8-54fb4bd02fab@gmx.de
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

I try to host multiple postgresql-servers on the same ip and the same
port through SNI-based load-balancing.
Currently this is not possible because of two issues:
1. The psql client won't set the tls-sni-extension correctly
(https://www.postgresql.org/message-id/20181211145240.GL20222%40redhat.com)
2. The psql connection protocol implements a SSLRequest in plain text
before actually opening a connection.

The first issue is easily solvable by calling
`SSL_set_tlsext_host_name(conn->ssl,
conn->connhost[conn->whichhost].host)` before opening the connection.

The second issue is also solvable through a new parameter
"ssltermination" which if set to "proxy" will skip the initial
SSLRequest and connects directly through ssl.
The default value would be "server" which changes nothing on the
existing behaviour.

I compiled the psql-client with these changes and was able to connect to
2 different databases through the same ip and port just by changing the
hostname.

This fix is important to allow multiple postgres instances on one ip
without having to add a port number.

I implemented this change on a fork of the postgres mirror on github:
https://github.com/klg71/mayope_postgres

The affected files are:
- src/interfaces/libpq/fe-connect.c (added ssltermination parameter)
- src/interfaces/libpq/libpq-int.h (added ssltermination parameter)
- src/interfaces/libpq/fe-secure-openssl.c (added tls-sni-extension)

I appended the relevant diff.

Best Regards
Lukas

Attachment Content-Type Size
diff text/plain 15.9 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Jim Finnerty 2020-12-10 16:07:22 Re: Challenges preventing us moving to 64 bit transaction id (XID)?
Previous Message Konstantin Knizhnik 2020-12-10 15:48:49 Re: On login trigger: take three