Welcome! Log In Create A New Profile

Advanced

Re: ssl preread for postgres connection

Previous Message Next Message
Forum List Message List New Topic Print View
J Carter
May 14, 2023 02:44PM
On Sun, 14 May 2023 19:09:30 +0100
J Carter <jordanc.carter@outlook.com> wrote:

> Hello,
>
> > On Sun, 14 May 2023 17:33:10 +0300
> > Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> > Hello!
> >
> > On Sun, May 14, 2023 at 09:55:54AM +0400, Roman Arutyunyan wrote:
> >
> > > Hi Eduard,
> > >
> > > On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote:
> > >
> > > > for some context, I recently I tried configuring nginx as a tcp
> > > > proxy that routes
> > > > connections based on sni to multiple upstream services
> > > >
> > > > the server only exposes one tcp port, and receives all
> > > > connections there, for example
> > > > a connection to redis.example.com:1234 would be proxy_pass'ed to
> > > > some port in the
> > > > machine, a connection to www.example.com:1234 to another, etc.
> > > >
> > > > i used nginx itself to terminate the tls for all services for
> > > > convenience
> > > >
> > > > the problem:
> > > > now here is the issue, 1: postgres does some weird custom ssl
> > > > stuff, which means I
> > > > cannot terminate the ssl from within nginx
> > >
> > > In this case there must be an SSL error logged in nginx error log.
> > > Can you post it?
> >
> > Postgres uses their own protocol with STARTTLS-like interface to
> > initiate SSL handshake, see here:
> >
> > https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.6.7.12
> >
> > That is, it's not going to work with neither SSL termination, nor
> > SSL preread, and needs an implementation of the Postgres protocol.
> >
> > [...]
> >
>
> Out of curiosity I looked into what 'others' had done for Postgres's
> application level negotiation.
>
> https://github.com/envoyproxy/envoy/issues/10942
>
> OP, it might be possible for you to hack this into ssl_preread.c in
> ngx_stream_ssl_preread_handler in a similar fashion to that
> workaround.
>
> It seems you just need to listen / wait for the SSLRequest magic
> message bytes, send the 'fake' response, then do the normal handshake
> logic.
>
> https://www.postgresql.org/docs/current/protocol-message-formats.html
>
> The other issue is if you want TLS from NGINX -> Postgresql Upstream
> you'd need another hack somewhere in ngx_stream_proxy_module.c
> (or a custom content handler as mentioned above).

Or even in ngx_stream_handler.c to do it properly, similar to how
proxy protocol is handled (obviously with writes too).
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

ssl preread for postgres connection

Eduard Vercaemer May 14, 2023 12:46AM

Re: ssl preread for postgres connection

Roman Arutyunyan May 14, 2023 01:56AM

Re: ssl preread for postgres connection

Maxim Dounin May 14, 2023 10:34AM

Re: ssl preread for postgres connection

J Carter May 14, 2023 02:10PM

Re: ssl preread for postgres connection

J Carter May 14, 2023 02:44PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 132
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready