Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHgqb-00A7VT-2I for pgsql-general@arkaria.postgresql.org; Thu, 13 Jun 2024 09:34:21 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1sHgqX-00GIwH-U5 for pgsql-general@arkaria.postgresql.org; Thu, 13 Jun 2024 09:34:18 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHUs1-006s2t-Ue for pgsql-general@lists.postgresql.org; Wed, 12 Jun 2024 20:47:03 +0000 Received: from ci74p00im-qukt09082501.me.com ([17.57.156.14]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1sHUrv-0010pI-99 for pgsql-general@postgresql.org; Wed, 12 Jun 2024 20:47:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=osss.net; s=sig1; t=1718225213; bh=/TQ9AI020c0mfgiCxPI0COLvRTRT2fYisoaPUDl6GGs=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=VFIJYZQiNO6Baiy5qf6HsXGhB6u88++YPJwXTvus8G+SUJjpcdUJpMMIQm8regHb5 jIqz7xw4ljv8ZRwlK7Go3xZurL9AbiU3noeoPhPhOLS2qnTtrp6TbkYgGtCeiWXGhc 0WNPeDCiZaqYqW14iA+mQXe3wRzuF4SA8KSh7ZMenfS7HbYehwGj/HqLuycooswC7N b2dKAnOdsxp6UjteLnWZflXzkZlhGZivu40GWPUetaZNISXWhV1H2VTXGKGhIe8KD7 VH9s1S2YNOotfWCLpmQPO5GpvetqPzJ4EiD60/SatqWuNAbPFs6M3XIELXBI3DyKZV EYGeE/JWgywCA== Received: from smtpclient.apple (ci77p00im-dlb-asmtp-mailmevip.me.com [17.57.156.26]) by ci74p00im-qukt09082501.me.com (Postfix) with ESMTPSA id 5A77E4AA00CD; Wed, 12 Jun 2024 20:46:52 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.600.62\)) Subject: Re: Question about UNIX socket connections and SSL From: Casey & Gina In-Reply-To: <1514893.1718219853@sss.pgh.pa.us> Date: Wed, 12 Jun 2024 15:46:50 -0500 Cc: pgsql-general@postgresql.org Content-Transfer-Encoding: quoted-printable Message-Id: <1E2A5972-443A-4C7B-88AA-3AE5E6415381@osss.net> References: <5EDB1F7F-569B-48B2-8DCD-44EE17D41F1A@osss.net> <1514893.1718219853@sss.pgh.pa.us> To: Tom Lane X-Mailer: Apple Mail (2.3774.600.62) X-Proofpoint-ORIG-GUID: z9K-9u0QE5Qg67Zv_vJU_CEdbAdCwz8a X-Proofpoint-GUID: z9K-9u0QE5Qg67Zv_vJU_CEdbAdCwz8a X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-12_10,2024-06-12_02,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 clxscore=1030 mlxlogscore=364 mlxscore=0 phishscore=0 spamscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2308100000 definitions=main-2406120147 List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk > On Jun 12, 2024, at 2:17=E2=80=AFPM, Tom Lane = wrote: >=20 > (1) It'd add overhead without adding any security. Data going through > a UNIX socket will only pass through the local kernel, and if that's > compromised then it's game over anyway. That's true. My preference would be to have an unencrypted connection = via UNIX socket from the application to haproxy, then an encrypted = connection using SSL certificate authentication from haproxy to the = database. I spent some time attempting this. But that doesn't seem to = be possible since haproxy doesn't understand the postgres protocol. --=20 Regards, - Casey=