Обсуждение: psql connect over ssl load balancer
Hi. I want to secure connections to postgress server usings SSL. My server is deployed on google cloud behind SSL load balancer, which terminates SSL connections (using SSL certificates, issued by google) and forwards decrypted traffic to the posgres server. I can connect without problems from nodejs using TLS socket. But standard psql client don't working: $ PGSSLMODE=require psql -h proxy.softvisio.net psql: error: connection to server at "proxy.softvisio.net" (34.149.158.159), port 5432 failed: server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request. Seems, that psql will not work withour private keys? But I am not sure. Could somebody help me to understand, how I can use it?
"dzagashev@gmail.com" <dzagashev@gmail.com> writes: > I want to secure connections to postgress server usings SSL. > My server is deployed on google cloud behind SSL load balancer, which > terminates SSL connections (using SSL certificates, issued by google) > and forwards decrypted traffic to the posgres server. > But standard psql client don't working: > $ PGSSLMODE=require psql -h proxy.softvisio.net That isn't going to work, because PG wraps the SSL handshake inside its own protocol. You could set up an SSL tunnel and let psql think it's making a non-encrypted connection. regards, tom lane
Ah, thanks. This will make thing more complex. On 23.05.2022 20:32, Tom Lane wrote: > "dzagashev@gmail.com" <dzagashev@gmail.com> writes: >> I want to secure connections to postgress server usings SSL. >> My server is deployed on google cloud behind SSL load balancer, which >> terminates SSL connections (using SSL certificates, issued by google) >> and forwards decrypted traffic to the posgres server. >> But standard psql client don't working: >> $ PGSSLMODE=require psql -h proxy.softvisio.net > > That isn't going to work, because PG wraps the SSL handshake inside > its own protocol. You could set up an SSL tunnel and let psql think > it's making a non-encrypted connection. > > regards, tom lane