| From: | Merlin Moncure <mmoncure(at)gmail(dot)com> |
|---|---|
| To: | Francisco Olarte <folarte(at)peoplecall(dot)com> |
| Cc: | Marcin Giedz <marcin(dot)giedz(at)arise(dot)pl>, "pgsql-general(at)postgresql(dot)org" <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: libpq heartbeat |
| Date: | 2016-10-27 17:29:17 |
| Message-ID: | CAHyXU0yf7sOUZOb0c6DR4tisL-Nnmy2wX_YQft5OFbysh8XaWQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, Oct 27, 2016 at 11:18 AM, Francisco Olarte
<folarte(at)peoplecall(dot)com> wrote:
> Merlin:
>
> On Thu, Oct 27, 2016 at 6:10 PM, Merlin Moncure <mmoncure(at)gmail(dot)com> wrote:
>> On Thu, Oct 27, 2016 at 10:01 AM, Francisco Olarte
>> <folarte(at)peoplecall(dot)com> wrote:
>>> And I'd like to point libpq sessions does not sound to be the best
>>> kind of traffic across a firewall, not a good service / protocol to
>>> expose.
>
>> meh -- it's perfectly fine to expose postgres to the internet as long
>> as you've handled the security concerns.
>
> It is, but handling them is not easy, and you have to deal with things
> like DoS which are not trivial on the server ( as it is a heavy
> service ). It can be done, and sometimes needs to be done, but is not
> a thing to take over lightly.
>
>> This could be over ssh tunnel for example.
>
> In which case it is NOT exposed to the internet. What are you trying to say?
what? ssh can most certainly convey over the internet. I said ssh
*tunnel*; not ssh. With tunneling the ssh endpoint is the client
application. When I built a libpq based intenet facing application
we used a modified pgbouncer to whitelist the parameterized query
strings and to force the auth. We had zero issues.
merlin
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2016-10-27 17:33:36 | Re: Escape variable |
| Previous Message | Francisco Olarte | 2016-10-27 16:41:54 | Re: libpq heartbeat |