public inbox for [email protected]
help / color / mirror / Atom feedFrom: Casey & Gina <[email protected]>
To: Daniel Gustafsson <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: [email protected]
Subject: Re: Question about UNIX socket connections and SSL
Date: Thu, 13 Jun 2024 15:18:30 -0500
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
> On Jun 13, 2024, at 6:47 AM, Daniel Gustafsson <[email protected]> wrote:
>
> While not strictly that, there was a patch not too long ago for teaching
> postgres the PROXY protocol.
As I understand it, PROXY protocol support would be nice if one connects through haproxy on standalone hosts, so that postgres could show the originating app servers as the client_addr / client_hostname. We used to have standalone host haproxies, but moved to haproxy instances on each app node for performance and scalability reasons (many app nodes). I guess it could also help if we were to run pgbouncer on the db nodes?
We're using haproxy to route connections to the appropriate database nodes - RW connections go to the current master in the cluster, and RO are balanced between replicas. It seems that libpq could allow SSL on UNIX sockets which would avoid having to utilize TCP for the local connections from the application to haproxy.
Is there any way to utilize sslmode=verify-full through something routing connections to the appropriate database instances, whether that's with haproxy or something else?
--
Thanks,
- Casey
view thread (6+ messages)
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Question about UNIX socket connections and SSL
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox