Welcome! Log In Create A New Profile

Re: ssl preread for postgres connection

Forum List Message List New Topic Print View

Roman Arutyunyan

May 14, 2023 01:56AM

Hi Eduard,

On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote:
> for some context, I recently I tried configuring nginx as a tcp proxy that
> routes
> connections based on sni to multiple upstream services
>
> the server only exposes one tcp port, and receives all connections there,
> for example
> a connection to redis.example.com:1234 would be proxy_pass'ed to some port
> in the
> machine, a connection to www.example.com:1234 to another, etc.
>
> i used nginx itself to terminate the tls for all services for convenience
>
> the problem:
> now here is the issue, 1: postgres does some weird custom ssl stuff, which
> means I
> cannot terminate the ssl from within nginx

In this case there must be an SSL error logged in nginx error log.
Can you post it?

> 2: doing a tcp pass through
> without
> the ssl termination, and attempting to use ssl_preread and
> $ssl_preread_server_name
> _does not_ work for postgres connections (the module fails to extract the
> server name)
>
> what I attempted:
> what I first thought of was to expand on the ssl_preread module to support
> postgres
> connections, I went into the source code and found that the module inserts
> a handler into
> the `NGX_STREAM_PREREAD_PHASE`
> I tried looking into the buffer in this phase and no useful data showed up,

Incoming data is written to c->buffer as long as the handler returns NGX_AGAIN.
You just have to wait long enough and have large enough buffer (see directive
preread_buffer_size).

> I then tried to
> insert a second handler into the `NGX_STREAM_CONTENT_PHASE` and first
> noticed
> it is never used or initialised to begin with, so I did that, but then it
> looks like no buffer
> is ever available in this phase
>
> any input, pointers, or suggestions are really welcomed

If you want to register a content phase handler, assign it to cscf->handler.
A good example is ngx_stream_return() in src/stream/ngx_stream_return_module.c.

--
Roman Arutyunyan
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
ssl preread for postgres connection	Eduard Vercaemer	May 14, 2023 12:46AM
Re: ssl preread for postgres connection	Roman Arutyunyan	May 14, 2023 01:56AM
Re: ssl preread for postgres connection	Maxim Dounin	May 14, 2023 10:34AM
Re: ssl preread for postgres connection	J Carter	May 14, 2023 02:10PM
Re: ssl preread for postgres connection	J Carter	May 14, 2023 02:44PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 291

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018