+10 on this one! Hosting a farm of read replicas and r/w endpoint behind an HAproxy makes the powerful pg_hba purpose by hiding the real source address... which is bad for some environments with strict conformance and audit requirements
Le mar. 2 mars 2021 à 12:43, Magnus Hagander <mag...@hagander.net> a écrit : > PFA a simple patch that implements support for the PROXY protocol. > > This is a protocol common and very light weight in proxies and load > balancers (haproxy is one common example, but also for example the AWS > cloud load balancers). Basically this protocol prefixes the normal > connection with a header and a specification of what the original host > was, allowing the server to unwrap that and get the correct client > address instead of just the proxy ip address. It is a one-way protocol > in that there is no response from the server, it's just purely a > prefix of the IP information. > > Using this when PostgreSQL is behind a proxy allows us to keep using > pg_hba.conf rules based on the original ip address, as well as track > the original address in log messages and pg_stat_activity etc. > > The implementation adds a parameter named proxy_servers which lists > the ips or ip+cidr mask to be trusted. Since a proxy can decide what > the origin is, and this is used for security decisions, it's very > important to not just trust any server, only those that are > intentionally used. By default, no servers are listed, and thus the > protocol is disabled. > > When specified, and the connection on the normal port has the proxy > prefix on it, and the connection comes in from one of the addresses > listed as valid proxy servers, we will replace the actual IP address > of the client with the one specified in the proxy packet. > > Currently there is no information about the proxy server in the > pg_stat_activity view, it's only available as a log message. But maybe > it should go in pg_stat_activity as well? Or in a separate > pg_stat_proxy view? > > (In passing, I note that pq_discardbytes were in pqcomm.h, yet listed > as static in pqcomm.c -- but now made non-static) > > -- > Magnus Hagander > Me: https://www.hagander.net/ > Work: https://www.redpill-linpro.com/ >
