public inbox for [email protected]
help / color / mirror / Atom feedFrom: Casey & Gina <[email protected]>
To: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: Question about UNIX socket connections and SSL
Date: Wed, 12 Jun 2024 15:46:50 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
> On Jun 12, 2024, at 2:17 PM, Tom Lane <[email protected]> wrote:
>
> (1) It'd add overhead without adding any security. Data going through
> a UNIX socket will only pass through the local kernel, and if that's
> compromised then it's game over anyway.
That's true. My preference would be to have an unencrypted connection via UNIX socket from the application to haproxy, then an encrypted connection using SSL certificate authentication from haproxy to the database. I spent some time attempting this. But that doesn't seem to be possible since haproxy doesn't understand the postgres protocol.
--
Regards,
- Casey
view thread (6+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Question about UNIX socket connections and SSL
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox