public inbox for [email protected]
help / color / mirror / Atom feedFrom: Casey & Gina <[email protected]>
To: [email protected]
Subject: Question about UNIX socket connections and SSL
Date: Wed, 12 Jun 2024 10:34:56 -0500
Message-ID: <[email protected]> (raw)
It seems that libpq (maybe?) disables SSL when connecting through a UNIX socket to the database.
My setup involves a HA database cluster managed by Patroni. To route RW or RO connections to the correct node(s), we use haproxy, running locally on each application node. In the interest of being as efficient as possible, not using TCP unnecessarily, and having the ability to set appropriate permissions on the socket files which increases security, we had configured the applications to connect to haproxy via local UNIX socket, and then haproxy would of course communicate over the network to the database servers via TCP.
More recently, we've started setting up SSL encryption and CA verification for all database connections going over the network. I discovered when working on this that SSL was being disabled due to the client connecting to haproxy via UNIX socket. After trying a bunch of things, I resigned to having to use TCP, and we changed the connection from the app to haproxy to TCP.
We also have a jump server set up for staff to connect to the database via an SSH tunnel. When this is used, an individual's database connection goes from their client over TCP to the jump server via the SSH tunnel, which directs their connection to an haproxy instance running there via UNIX socket, which then in turn connects to the database using TCP. Interestingly, even though traffic is being routed through a UNIX socket here, SSL encryption *does* work.
So why can't I use SSL when connecting from a client to a UNIX socket? I can understand that verify-full wouldn't work without it, but verify-full doesn't work even when using TCP with haproxy, as "localhost" doesn't match the database hostname. For now, I'm only concerned with the verify-ca sslmode. Is there a workaround possible that doesn't involve using TCP unnecessarily?
--
Thanks,
- Casey
view thread (6+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: Question about UNIX socket connections and SSL
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox