| From: | Arthur Nascimento <tureba(at)gmail(dot)com> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | PostgreSQL Developers <pgsql-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: PROXY protocol support |
| Date: | 2021-03-02 18:42:27 |
| Message-ID: | CALVFHFbd=LDH8CAWz7KdLw0CJbudQGmayjRrAHoOuPbmEo7Fpw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On Tue, 2 Mar 2021 at 14:43, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> PFA a simple patch that implements support for the PROXY protocol.
Nice. I didn't know I needed this. But in hindsight, I would've used
it quite a few times in the past if I could have.
> The implementation adds a parameter named proxy_servers which lists
> the ips or ip+cidr mask to be trusted. Since a proxy can decide what
> the origin is, and this is used for security decisions, it's very
> important to not just trust any server, only those that are
> intentionally used. By default, no servers are listed, and thus the
> protocol is disabled.
Might make sense to add special cases for 'samehost' and 'samenet', as
in hba rules, as proxy servers are commonly on the same machine or
share one of the same internal networks.
Despite the security issues, I'm sure people will soon try and set
proxy_servers='*' or 'all' if they think this setting works as
listen_addresses or as pg_hba. But I don't think I'd make these use
cases easier.
Tureba - Arthur Nascimento
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Mark Dilger | 2021-03-02 19:02:10 | Re: [PATCH] Support empty ranges with bounds information |
| Previous Message | Zhihong Yu | 2021-03-02 18:35:06 | Re: Table AM modifications to accept column projection lists |