Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing
| От | Lukas Meisegeier |
|---|---|
| Тема | Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing |
| Дата | |
| Msg-id | 1ef7d393-8966-af7c-f235-262cfa9478c4@gmx.de обсуждение исходный текст |
| Ответ на | Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing (Heikki Linnakangas <hlinnaka@iki.fi>) |
| Список | pgsql-hackers |
Hey Heikki, thanks for providing feedback :) The traffic between proxy and psql-server is unencrypted thats why I don't need to patch the server. I tried returning a fixed response on the first plain SSLRequest forwarding it to a psql-server with ssl enabled an tried to switch then on the ssl connection startup but that didn't work out. I guess its because the psql-server won't accept an ssl connection if its not requested via SSLRequest. I would definitly appreciate if the psql-server could accept the TLS-client hello directly but we would still need to set the tls-sni-extension correctly. Perhaps we could rename the parameter to "sslplainrequest(yes/no)" and start with making the plain SSLRequest optional in the psql-server. Best Regards Lukas Am 11-Dec-20 um 14:26 schrieb Heikki Linnakangas: > On 10/12/2020 17:49, Lukas Meisegeier wrote: >> I try to host multiple postgresql-servers on the same ip and the same >> port through SNI-based load-balancing. >> Currently this is not possible because of two issues: >> 1. The psql client won't set the tls-sni-extension correctly >> (https://www.postgresql.org/message-id/20181211145240.GL20222%40redhat.com) >> >> 2. The psql connection protocol implements a SSLRequest in plain text >> before actually opening a connection. >> >> The first issue is easily solvable by calling >> `SSL_set_tlsext_host_name(conn->ssl, >> conn->connhost[conn->whichhost].host)` before opening the connection. >> >> The second issue is also solvable through a new parameter >> "ssltermination" which if set to "proxy" will skip the initial >> SSLRequest and connects directly through ssl. >> The default value would be "server" which changes nothing on the >> existing behaviour. > > Don't you need backend changes as well? The backend will still expect > the client to send an SSLRequest. Or is the connection from the proxy to > the actual server unencrypted? > > It's not very nice that the client needs to set special options, > depending on whether the server is behind a proxy or not. Could you > teach the proxy to deal with the SSLRequest message? > > Perhaps we should teach the backend to accept a TLS ClientHello > directly, without the SSLRequest message. That way, the client could > send the ClientHello without SSLRequest, and the proxy wouldn't need to > care about SSLRequest. It would also eliminate one round-trip from the > protocol handshake, which would be nice. A long deprecation/transition > period would be needed before we could make that the default behavior, > but that's ok. > > - Heikki
В списке pgsql-hackers по дате отправления: