[#461] fix ssl connection to postgres in server_passthrough #462
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| ## Preface | ||
|
|
||
| This tutorial will take you through the connection path from client to `pgagroal` to `postgres` server when TLS is enforced. | ||
|
|
||
| ## Setup | ||
|
|
||
| To enforce tls along the whole path, we first need to create X509 certicates for client->pgagroal and pgagroal->postgres seperately. | ||
|
|
||
| For the purpose of this tutorial we will create self-signed certificates and assume only server side authentication. | ||
|
|
||
| ### Creating Certificates | ||
|
|
||
| We will create self-signed certificate for the server, valid for 365 days, use the following OpenSSL command, replacing `dbhost.yourdomain.com` with the server's host name, here `localhost`: | ||
|
|
||
| ``` | ||
| openssl req -new -x509 -days 365 -nodes -text -out pgagroal.crt \ | ||
| -keyout pgagroal.key -subj "/CN=dbhost.yourdomain.com" | ||
| ``` | ||
|
|
||
| for client to pgagroal side authentication and | ||
|
|
||
| ``` | ||
| openssl req -new -x509 -days 365 -nodes -text -out postgres.crt \ | ||
| -keyout postgres.key -subj "/CN=dbhost.yourdomain.com" | ||
| ``` | ||
|
|
||
| for pgagroal to postgres side authentication. | ||
|
|
||
| then do - | ||
|
|
||
| ``` | ||
| chmod og-rwx pgagroal.key | ||
| chmod og-rwx postgres.key | ||
| ``` | ||
|
|
||
| because the server will reject the file if its permissions are more liberal than this. For more details on how to create your server private key and certificate, refer to the OpenSSL documentation. | ||
|
|
||
| ### Configuration | ||
|
|
||
| Modify the configuration files of postgres and pgagroal. | ||
|
|
||
| Add the following lines in `postgresql.conf` (Generally can be found in `/etc/postgresql/<version_number>/main` directory) | ||
|
|
||
| ``` | ||
| ... | ||
| ssl = on | ||
| ssl_cert_file = </path/to/postgres.crt> | ||
| ssl_key_file = </path/to/postgres.key> | ||
| ... | ||
| ``` | ||
|
|
||
| and make the contents of `pg_hba.conf` - | ||
|
|
||
| ``` | ||
| hostssl all all all md5 | ||
|
There was a problem hiding this comment. we should use scram-sha-256 |
||
| ``` | ||
|
|
||
| here we are choosing md5 for authenticating the requested user and database against postgres catalog | ||
|
There was a problem hiding this comment. md5 -> scram-sha-256 There was a problem hiding this comment. The scram-sha-256 is giving Is there some way to bypass it? Or we will have to present same certificates on both sides ( |
||
|
|
||
| Make the contents of `pgagroal.conf` to enable tls the whole way - | ||
|
|
||
| ``` | ||
| [pgagroal] | ||
| host = localhost | ||
| port = 2345 | ||
|
|
||
| log_type = console | ||
| log_level = debug5 | ||
| log_path = | ||
|
|
||
| max_connections = 100 | ||
| idle_timeout = 600 | ||
| validation = off | ||
| unix_socket_dir = /tmp/ | ||
|
|
||
| tls = on | ||
| tls_cert_file = </path/to/pgagroal.crt> | ||
| tls_key_file = </path/to/pgagroal.key> | ||
|
|
||
| [primary] | ||
| host = localhost | ||
| port = 5432 | ||
| tls = on | ||
| tls_ca_file = </path/to/postgres.crt> | ||
| ``` | ||
|
|
||
| ### Client Request | ||
|
|
||
| `PGSSLMODE=verify-ca PGSSLROOTCERT=</path/to/pgagroal.crt> psql -h localhost -p 2345 -U <username> <database>`. | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tls -> TLS, client->pgagroal -> client to pgagroal, pgagroal->postgres -> pgagroal to PostgreSQL