ssl preread for postgres connection

Eduard Vercaemer vercaemereduard at gmail.com
Sun May 14 04:43:59 UTC 2023


for some context, I recently I tried configuring nginx as a tcp proxy that
routes
connections based on sni to multiple upstream services

the server only exposes one tcp port, and receives all connections there,
for example
a connection to redis.example.com:1234 would be proxy_pass'ed to some port
in the
machine, a connection to www.example.com:1234 to another, etc.

i used nginx itself to terminate the tls for all services for convenience

the problem:
now here is the issue, 1: postgres does some weird custom ssl stuff, which
means I
cannot terminate the ssl from within nginx, and 2: doing a tcp pass through
without
the ssl termination, and attempting to use ssl_preread and
$ssl_preread_server_name
_does not_ work for postgres connections (the module fails to extract the
server name)

what I attempted:
what I first thought of was to expand on the ssl_preread module to support
postgres
connections, I went into the source code and found that the module inserts
a handler into
the `NGX_STREAM_PREREAD_PHASE`
I tried looking into the buffer in this phase and no useful data showed up,
I then tried to
insert a second handler into the `NGX_STREAM_CONTENT_PHASE` and first
noticed
it is never used or initialised to begin with, so I did that, but then it
looks like no buffer
is ever available in this phase

any input, pointers, or suggestions are really welcomed

thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20230513/ec63e752/attachment.htm>


More information about the nginx mailing list