ssl preread for postgres connection
J Carter
jordanc.carter at outlook.com
Sun May 14 18:09:30 UTC 2023
Hello,
> On Sun, 14 May 2023 17:33:10 +0300
> Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Sun, May 14, 2023 at 09:55:54AM +0400, Roman Arutyunyan wrote:
>
> > Hi Eduard,
> >
> > On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote:
> > > for some context, I recently I tried configuring nginx as a tcp
> > > proxy that routes
> > > connections based on sni to multiple upstream services
> > >
> > > the server only exposes one tcp port, and receives all
> > > connections there, for example
> > > a connection to redis.example.com:1234 would be proxy_pass'ed to
> > > some port in the
> > > machine, a connection to www.example.com:1234 to another, etc.
> > >
> > > i used nginx itself to terminate the tls for all services for
> > > convenience
> > >
> > > the problem:
> > > now here is the issue, 1: postgres does some weird custom ssl
> > > stuff, which means I
> > > cannot terminate the ssl from within nginx
> >
> > In this case there must be an SSL error logged in nginx error log.
> > Can you post it?
>
> Postgres uses their own protocol with STARTTLS-like interface to
> initiate SSL handshake, see here:
>
> https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.6.7.12
>
> That is, it's not going to work with neither SSL termination, nor
> SSL preread, and needs an implementation of the Postgres protocol.
>
> [...]
>
Out of curiosity I looked into what 'others' had done for Postgres's
application level negotiation.
https://github.com/envoyproxy/envoy/issues/10942
OP, it might be possible for you to hack this into ssl_preread.c in
ngx_stream_ssl_preread_handler in a similar fashion to that workaround.
It seems you just need to listen / wait for the SSLRequest magic
message bytes, send the 'fake' response, then do the normal handshake
logic.
https://www.postgresql.org/docs/current/protocol-message-formats.html
The other issue is if you want TLS from NGINX -> Postgresql Upstream
you'd need another hack somewhere in ngx_stream_proxy_module.c
(or a custom content handler as mentioned above).
More information about the nginx
mailing list