Re: Feature Proposal: Add ssltermination parameter for SNI-based LoadBalancing

On 11/12/2020 16:46, Lukas Meisegeier wrote:
> Hey Heikki,
> 
> thanks for providing feedback :)
> The traffic between proxy and psql-server is unencrypted thats why I
> don't need to patch the server.

Ok.

> I tried returning a fixed response on the first plain SSLRequest
> forwarding it to a psql-server with ssl enabled an tried to switch then
> on the ssl connection startup but that didn't work out. I guess its
> because the psql-server won't accept an ssl connection if its not
> requested via SSLRequest.

Your proxy could receive the client's SSLRequest message, and respond 
with a single byte 'S'. You don't need to forward that to the real 
PostgreSQL server, since the connection to the PostgreSQL server is 
unencrypted. Then perform the TLS handshake, and forward all traffic to 
the real server only after that.

Client: -> SSLRequest
  Proxy: <- 'S'
Client: -> TLS ClientHello
  Proxy: [finish TLS handshake]

- Heikki