> On Jun 13, 2024, at 6:47 AM, Daniel Gustafsson wrote:
>
> While not strictly that, there was a patch not too long ago for teaching
> postgres the PROXY protocol.
As I understand it, PROXY protocol support would be nice if one connects
through haproxy on standalone hosts, so that postgres coul
> On 12 Jun 2024, at 22:46, Casey & Gina wrote:
> ..haproxy doesn't understand the postgres protocol.
While not strictly that, there was a patch not too long ago for teaching
postgres the PROXY protocol.
https://www.postgresql.org/message-id/flat/165903873765.1168.11139166899805820567.pgcf%40co
> On Jun 12, 2024, at 2:17 PM, Tom Lane wrote:
>
> (1) It'd add overhead without adding any security. Data going through
> a UNIX socket will only pass through the local kernel, and if that's
> compromised then it's game over anyway.
That's true. My preference would be to have an unencrypted c
> On 12 Jun 2024, at 21:17, Tom Lane wrote:
>
> Casey & Gina writes:
>> So why can't I use SSL when connecting from a client to a UNIX socket?
>
> (1) It'd add overhead without adding any security. Data going through
> a UNIX socket will only pass through the local kernel, and if that's
> comp
Casey & Gina writes:
> So why can't I use SSL when connecting from a client to a UNIX socket?
(1) It'd add overhead without adding any security. Data going through
a UNIX socket will only pass through the local kernel, and if that's
compromised then it's game over anyway.
(2) I'm less sure abou
It seems that libpq (maybe?) disables SSL when connecting through a UNIX socket
to the database.
My setup involves a HA database cluster managed by Patroni. To route RW or RO
connections to the correct node(s), we use haproxy, running locally on each
application node. In the interest of being
