public inbox for [email protected]help / color / mirror / Atom feed
PROXY protocol support 3+ messages / 2 participants [nested] [flat]
* PROXY protocol support @ 2019-05-19 14:26 Julien Riou <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Julien Riou @ 2019-05-19 14:26 UTC (permalink / raw) To: [email protected] Hello, Nowadays, PostgreSQL is often used behind proxies. Some are PostgreSQL protocol aware (Pgpool, PgBouncer), some are pure TCP (HAProxy). From the database instance point of view, all clients come from the proxy. There are two major problems with this topology: * It neutralizes the host based authentication. Every client shares the same source. Either we allow this source or not but we cannot allow clients on a more fine-grained basis, or not by the IP address. * It makes debugging harder. If we have a DDL or a slow query logged, we cannot use the source to identify who is responsible. On one hand, we can move the authentication and logging mechanisms to PostgreSQL based proxies but they will never be as complete as PostgreSQL itself. And they don't have features like HTTP health checks to redirect trafic to nodes (health, role, whatever behind the URL). On the other hand, those features are not implemented at all because they don't know the PostgreSQL protocol, they simply forward requests. In the HTTP reverse proxies world, there's a "dirty hack" to identify the source IP address: add an HTTP header "X-Forwared-For" to the request. It's the destination duty to do whatever they want with this information. With this feature in mind, someone from HAProxy has implemented this mechanism at the protocol level. It's called the PROXY protocol. With this piece of logic at the beginning of the protocol, we could implement a totally transparent proxy and benefit from the great features of PostgreSQL regarding clients. Note that MariaDB support the PROXY protocol in MaxScale (proxy) and MariaDB Server in recent versions. My question is, what do you think of this feature? Is it worth to spend time implementing it in PostgreSQL or not? Links: - http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt - https://mariadb.com/kb/en/library/proxy-protocol-support/ Thanks, Julien ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: PROXY protocol support @ 2019-05-19 15:15 Stephen Frost <[email protected]> parent: Julien Riou <[email protected]> 0 siblings, 1 reply; 3+ messages in thread From: Stephen Frost @ 2019-05-19 15:15 UTC (permalink / raw) To: Julien Riou <[email protected]>; +Cc: [email protected] Greetings, * Julien Riou ([email protected]) wrote: > My question is, what do you think of this feature? Is it worth to spend > time implementing it in PostgreSQL or not? This isn't really the right list for this discussion, this list is for discussing PGAdmin (the PG administration client) not for PG itself (that list would be pgsql-hackers). However, pgbouncer already provides this feature, so I'd say it's a good feature and one that you want from your connection pooler. Thanks, Stephen Attachments: [application/pgp-signature] signature.asc (819B, 2-signature.asc) download ^ permalink raw reply [nested|flat] 3+ messages in thread
* Re: PROXY protocol support @ 2019-05-19 15:30 Julien Riou <[email protected]> parent: Stephen Frost <[email protected]> 0 siblings, 0 replies; 3+ messages in thread From: Julien Riou @ 2019-05-19 15:30 UTC (permalink / raw) To: Stephen Frost <[email protected]>; +Cc: [email protected] On 19/05/19, Stephen Frost wrote: > Greetings, > > * Julien Riou ([email protected]) wrote: > > My question is, what do you think of this feature? Is it worth to spend > > time implementing it in PostgreSQL or not? > > This isn't really the right list for this discussion, this list is for > discussing PGAdmin (the PG administration client) not for PG itself > (that list would be pgsql-hackers). > > However, pgbouncer already provides this feature, so I'd say it's a good > feature and one that you want from your connection pooler. > > Thanks, > > Stephen Good catch! I'm sorry. I will forward the conversation directly to the pgsql-hackers mailing list for further messages. Julien ^ permalink raw reply [nested|flat] 3+ messages in thread
end of thread, other threads:[~2019-05-19 15:30 UTC | newest] Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed) -- links below jump to the message on this page -- 2019-05-19 14:26 PROXY protocol support Julien Riou <[email protected]> 2019-05-19 15:15 ` Stephen Frost <[email protected]> 2019-05-19 15:30 ` Julien Riou <[email protected]>
This inbox is served by agora; see mirroring instructions for how to clone and mirror all data and code used for this inbox