Hi Jacob, > raw TLS connections are possible since PG17; see sslnegotiation=direct.
Good point, I wasn't aware of sslnegotiation=direct. I tested the
proxy workaround on RHEL 9.8 with PG 18 and can confirm it works,
with some caveats:
nginx works as a TLS-terminating proxy with dual RSA+ECDSA certs,
but it requires nginx >= 1.21.4 for the ssl_alpn directive in the
stream module (PG 18 psql rejects direct SSL connections without ALPN
negotiation). RHEL 9's base nginx is 1.20 which lacks this, but the
1.24 modular package works. The nginx config is straightforward:
stream {
server {
listen 5433 ssl;
ssl_certificate server-rsa.crt;
ssl_certificate_key server-rsa.key;
ssl_certificate server-ecdsa.crt;
ssl_certificate_key server-ecdsa.key;
ssl_alpn postgresql;
proxy_pass 127.0.0.1:5432;
}
}
haproxy 2.8 supports ALPN (so psql connects), but doesn't do proper
dual cert selection — only one cert type is served regardless of the
negotiated cipher.
So the workaround is viable with the right nginx version, but it does
require:
- PG 17+ clients (sslnegotiation=direct)
- nginx >= 1.21.4 with stream + ssl_alpn
- hostnossl trust in pg_hba.conf for proxy connections
Native support avoids the proxy dependency and works with all clients
regardless of version or sslnegotiation support. I've updated the
patch description accordingly — thanks for the correction.
Renaud
Le 16/06/2026 à 5:17 PM, Jacob Champion a écrit :
On Fri, Jun 12, 2026 at 3:05 AM Renaud Métrich <[email protected]> wrote:there is no viable workaround — TLS-terminating proxies don't work because PostgreSQL uses an in-protocol SSL upgrade rather than raw TLS connections.(Haven't looked at the patch, but raw TLS connections are possible since PG17; see sslnegotiation=direct.) --Jacob
OpenPGP_signature.asc
Description: OpenPGP digital signature
