It seems that libpq (maybe?) disables SSL when connecting through a UNIX socket to the database.
My setup involves a HA database cluster managed by Patroni. To route RW or RO connections to the correct node(s), we
usehaproxy, running locally on each application node. In the interest of being as efficient as possible, not using TCP
unnecessarily,and having the ability to set appropriate permissions on the socket files which increases security, we
hadconfigured the applications to connect to haproxy via local UNIX socket, and then haproxy would of course
communicateover the network to the database servers via TCP.
More recently, we've started setting up SSL encryption and CA verification for all database connections going over the
network. I discovered when working on this that SSL was being disabled due to the client connecting to haproxy via UNIX
socket. After trying a bunch of things, I resigned to having to use TCP, and we changed the connection from the app to
haproxyto TCP.
We also have a jump server set up for staff to connect to the database via an SSH tunnel. When this is used, an
individual'sdatabase connection goes from their client over TCP to the jump server via the SSH tunnel, which directs
theirconnection to an haproxy instance running there via UNIX socket, which then in turn connects to the database using
TCP. Interestingly, even though traffic is being routed through a UNIX socket here, SSL encryption *does* work.
So why can't I use SSL when connecting from a client to a UNIX socket? I can understand that verify-full wouldn't work
withoutit, but verify-full doesn't work even when using TCP with haproxy, as "localhost" doesn't match the database
hostname. For now, I'm only concerned with the verify-ca sslmode. Is there a workaround possible that doesn't involve
usingTCP unnecessarily?
--
Thanks,
- Casey