From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | wilfried roset <wilfried(dot)roset(at)gmail(dot)com> |
Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
Subject: | Re: PROXY protocol support |
Date: | 2022-04-08 11:58:21 |
Message-ID: | CABUevEx5N2YHaECDXz+9fXj9ciC73BxJ3Ddf0v=s_GeZk56crw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sat, Apr 2, 2022 at 12:17 AM wilfried roset <wilfried(dot)roset(at)gmail(dot)com>
wrote:
> Hi,
>
> I've been able to test the patch. Here is a recap of the experimentation.
>
> # Setup
>
> All tests have been done witch 3 VMs (PostgreSQL, HAproxy, psql client) on
> Debian 11 communicating over private network.
> * PostgreSQL have been built with proxy_protocol_11.patch applied on
> master branch (465ab24296).
> * psql client is from postgresql-client-13 from Debian 11 repository.
> * HAproxy version used is 2.5.5-1~bpo11+1 installed from
> https://haproxy.debian.net
>
> # Configuration
>
> PostgresSQL has been configured to listen only on its private IP. To enable
> proxy protocol support `proxy_port` has been configured to `5431` and
> `proxy_servers` to `10.0.0.0/24` <http://10.0.0.0/24>. `log_connections`
> has been turned on to make
> sure the correct IP address is logged. `log_min_duration_statement` has
> been
> configured to 0 to log all queries. Finally `log_destination` has been
> configured to `csvlog`.
>
> pg_hba.conf is like this:
>
> local all all trust
> host all all 127.0.0.1/32 trust
> host all all ::1/128 trust
> local replication all trust
> host replication all 127.0.0.1/32 trust
> host replication all ::1/128 trust
> host all all 10.0.0.208/32 md5
>
> Where 10.0.0.208 is the IP host the psql client's VM.
>
> HAproxy has two frontends, one for proxy protocol (port 5431) and one for
> regular TCP traffic. The configuration looks like this:
>
> listen postgresql
> bind 10.0.0.222:5432
> server pg 10.0.0.253:5432 check
>
> listen postgresql_proxy
> bind 10.0.0.222:5431
> server pg 10.0.0.253:5431 send-proxy-v2
>
> Where 10.0.0.222 is the IP of HAproxy's VM and 10.0.0.253 is the IP of
> PostgreSQL's VM.
>
> # Tests
>
> * from psql's vm to haproxy on port 5432 (no proxy protocol)
> --> connection denied by pg_hba.conf, as expected
>
> * from psql's vm to postgresql's VM on port 5432 (no proxy protocol)
> --> connection success with psql's vm ip in logfile and pg_stat_activity
>
> * from psql's vm to postgresql's VM on port 5431 (proxy protocol)
> --> unable to open a connection, as expected
>
> * from psql's vm to haproxy on port 5431 (proxy protocol)
> --> connection success with psql's vm ip in logfile and pg_stat_activity
>
> I've also tested without proxy protocol enable (and pg_hba.conf updated
> accordingly), PostgreSQL behave as expected.
>
> # Conclusion
>
> From my point of view the documentation is clear enough and the feature
> works
> as expected.
Hi!
Thanks for this review and testing!
I think it could do with at least noe more look-over at the source code
level as well at this point though since it's been sitting around for a
while, so it won't make it in for this deadline. But hopefully I can get it
in early in the next cycle!
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
From | Date | Subject | |
---|---|---|---|
Next Message | Justin Pryzby | 2022-04-08 12:02:02 | Re: SQL/JSON: functions |
Previous Message | Ranier Vilela | 2022-04-08 11:49:48 | Re: shared-memory based stats collector |