Re: PROXY protocol support

On Tue, Nov 16, 2021 at 12:03 AM Jacob Champion <pchampion@vmware.com> wrote:
>
> On Thu, 2021-11-04 at 12:03 +0100, Magnus Hagander wrote:
> > Thanks for the pointer, PFA a rebase.
>
> I think the Unix socket handling needs the same "success" fix that you
> applied to the TCP socket handling above it:
>
> > @@ -1328,9 +1364,23 @@ PostmasterMain(int argc, char *argv[])
> >                 ereport(WARNING,
> >                         (errmsg("could not create Unix-domain socket in directory \"%s\"",
> >                                 socketdir)));
> > +
> > +           if (ProxyPortNumber)
> > +           {
> > +               socket = StreamServerPort(AF_UNIX, NULL,
> > +                                         (unsigned short) ProxyPortNumber,
> > +                                         socketdir,
> > +                                         ListenSocket, MAXLISTEN);
> > +               if (socket)
> > +                   socket->isProxy = true;
> > +               else
> > +                   ereport(WARNING,
> > +                           (errmsg("could not create Unix-domain PROXY socket for \"%s\"",
> > +                                   socketdir)));
> > +           }
> >         }
> >
> > -       if (!success && elemlist != NIL)
> > +       if (socket == NULL && elemlist != NIL)
> >             ereport(FATAL,
> >                     (errmsg("could not create any Unix-domain sockets")));
>
> Other than that, I can find nothing else to improve, and I think this
> is ready for more eyes than mine. :)

Here's another rebase on top of the AF_UNIX patch.



> To tie off some loose ends from upthread:
>
> I didn't find any MAXLISTEN documentation either, so I guess it's only
> a documentation issue if someone runs into it, heh.
>
> I was not able to find any other cases (besides ident) where using
> daddr instead of laddr would break things. I am going a bit snow-blind
> on the patch, though, and there's a lot of auth code.

Yeah, that's definitely a good reason for more eyes on it.


> A summary of possible improvements talked about upthread, for a future
> v2:
>
> - SQL functions to get the laddr info (scoped to superusers, somehow),
> if there's a use case for them
>
> - Setting up PROXY Unix socket permissions separately from the "main"
> socket
>
> - Allowing PROXY-only communication (disable the "main" port)

These all seem useful, but I'm liking the idea of putting them in a
v2, to avoid expanding the scope too much.

-- 
 Magnus Hagander
 Me: https://www.hagander.net/
 Work: https://www.redpill-linpro.com/