| From: | Bruno Lavoie <bl(at)brunol(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: PROXY protocol support |
| Date: | 2021-03-03 14:13:43 |
| Message-ID: | CAD+GXYOMrNH==n3=TuqBqvuo800MGV6SdFvPb88vSwYTH4YUvg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
+10 on this one!
Hosting a farm of read replicas and r/w endpoint behind an HAproxy makes
the powerful pg_hba purpose by hiding the real source address... which is
bad for some environments with strict conformance and audit requirements
Le mar. 2 mars 2021 à 12:43, Magnus Hagander <magnus(at)hagander(dot)net> a écrit :
> PFA a simple patch that implements support for the PROXY protocol.
>
> This is a protocol common and very light weight in proxies and load
> balancers (haproxy is one common example, but also for example the AWS
> cloud load balancers). Basically this protocol prefixes the normal
> connection with a header and a specification of what the original host
> was, allowing the server to unwrap that and get the correct client
> address instead of just the proxy ip address. It is a one-way protocol
> in that there is no response from the server, it's just purely a
> prefix of the IP information.
>
> Using this when PostgreSQL is behind a proxy allows us to keep using
> pg_hba.conf rules based on the original ip address, as well as track
> the original address in log messages and pg_stat_activity etc.
>
> The implementation adds a parameter named proxy_servers which lists
> the ips or ip+cidr mask to be trusted. Since a proxy can decide what
> the origin is, and this is used for security decisions, it's very
> important to not just trust any server, only those that are
> intentionally used. By default, no servers are listed, and thus the
> protocol is disabled.
>
> When specified, and the connection on the normal port has the proxy
> prefix on it, and the connection comes in from one of the addresses
> listed as valid proxy servers, we will replace the actual IP address
> of the client with the one specified in the proxy packet.
>
> Currently there is no information about the proxy server in the
> pg_stat_activity view, it's only available as a log message. But maybe
> it should go in pg_stat_activity as well? Or in a separate
> pg_stat_proxy view?
>
> (In passing, I note that pq_discardbytes were in pqcomm.h, yet listed
> as static in pqcomm.c -- but now made non-static)
>
> --
> Magnus Hagander
> Me: https://www.hagander.net/
> Work: https://www.redpill-linpro.com/
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Eisentraut | 2021-03-03 14:14:01 | Re: Disallow SSL compression? |
| Previous Message | Peter Eisentraut | 2021-03-03 14:07:30 | Re: Let people set host(no)ssl settings from initdb |