Quick Links

Re: Question about UNIX socket connections and SSL

From:	Casey & Gina <cg(at)osss(dot)net>
To:	Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc:	pgsql-general(at)postgresql(dot)org
Subject:	Re: Question about UNIX socket connections and SSL
Date:	2024-06-12 20:46:50
Message-ID:	1E2A5972-443A-4C7B-88AA-3AE5E6415381@osss.net
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-general

> On Jun 12, 2024, at 2:17 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
> (1) It'd add overhead without adding any security. Data going through
> a UNIX socket will only pass through the local kernel, and if that's
> compromised then it's game over anyway.

That's true. My preference would be to have an unencrypted connection via UNIX socket from the application to haproxy, then an encrypted connection using SSL certificate authentication from haproxy to the database. I spent some time attempting this. But that doesn't seem to be possible since haproxy doesn't understand the postgres protocol.

--
Regards,
- Casey

In response to

Re: Question about UNIX socket connections and SSL at 2024-06-12 19:17:33 from Tom Lane

Responses

Re: Question about UNIX socket connections and SSL at 2024-06-13 11:47:57 from Daniel Gustafsson

Browse pgsql-general by date

	From	Date	Subject
Next Message	Rich Shepard	2024-06-12 21:11:30	Definging columns for INSERT statements
Previous Message	David G. Johnston	2024-06-12 20:35:21	Re: PG16.1 security breach?