| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Jacob Champion <pchampion(at)vmware(dot)com> |
| Cc: | "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: PROXY protocol support |
| Date: | 2022-02-25 10:41:05 |
| Message-ID: | CABUevEzoaXRaOXocOUmXVENZ4N6fR+ag=Ur574r6QDHGgSq8YQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Nov 16, 2021 at 12:03 AM Jacob Champion <pchampion(at)vmware(dot)com> wrote:
>
> On Thu, 2021-11-04 at 12:03 +0100, Magnus Hagander wrote:
> > Thanks for the pointer, PFA a rebase.
>
> I think the Unix socket handling needs the same "success" fix that you
> applied to the TCP socket handling above it:
>
> > @@ -1328,9 +1364,23 @@ PostmasterMain(int argc, char *argv[])
> > ereport(WARNING,
> > (errmsg("could not create Unix-domain socket in directory \"%s\"",
> > socketdir)));
> > +
> > + if (ProxyPortNumber)
> > + {
> > + socket = StreamServerPort(AF_UNIX, NULL,
> > + (unsigned short) ProxyPortNumber,
> > + socketdir,
> > + ListenSocket, MAXLISTEN);
> > + if (socket)
> > + socket->isProxy = true;
> > + else
> > + ereport(WARNING,
> > + (errmsg("could not create Unix-domain PROXY socket for \"%s\"",
> > + socketdir)));
> > + }
> > }
> >
> > - if (!success && elemlist != NIL)
> > + if (socket == NULL && elemlist != NIL)
> > ereport(FATAL,
> > (errmsg("could not create any Unix-domain sockets")));
>
> Other than that, I can find nothing else to improve, and I think this
> is ready for more eyes than mine. :)
Here's another rebase on top of the AF_UNIX patch.
> To tie off some loose ends from upthread:
>
> I didn't find any MAXLISTEN documentation either, so I guess it's only
> a documentation issue if someone runs into it, heh.
>
> I was not able to find any other cases (besides ident) where using
> daddr instead of laddr would break things. I am going a bit snow-blind
> on the patch, though, and there's a lot of auth code.
Yeah, that's definitely a good reason for more eyes on it.
> A summary of possible improvements talked about upthread, for a future
> v2:
>
> - SQL functions to get the laddr info (scoped to superusers, somehow),
> if there's a use case for them
>
> - Setting up PROXY Unix socket permissions separately from the "main"
> socket
>
> - Allowing PROXY-only communication (disable the "main" port)
These all seem useful, but I'm liking the idea of putting them in a
v2, to avoid expanding the scope too much.
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
| Attachment | Content-Type | Size |
|---|---|---|
| proxy_protocol_11.patch | text/x-patch | 40.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dean Rasheed | 2022-02-25 10:45:31 | Re: Some optimisations for numeric division |
| Previous Message | Julien Rouhaud | 2022-02-25 10:30:46 | Commitfest manager for 2022-03 |