On Sun, 14 May 2023 19:09:30 +0100 J Carter <jordanc.car...@outlook.com> wrote:
> Hello, > > > On Sun, 14 May 2023 17:33:10 +0300 > > Maxim Dounin <mdou...@mdounin.ru> wrote: > > > Hello! > > > > On Sun, May 14, 2023 at 09:55:54AM +0400, Roman Arutyunyan wrote: > > > > > Hi Eduard, > > > > > > On Sat, May 13, 2023 at 10:43:59PM -0600, Eduard Vercaemer wrote: > > > > > > > for some context, I recently I tried configuring nginx as a tcp > > > > proxy that routes > > > > connections based on sni to multiple upstream services > > > > > > > > the server only exposes one tcp port, and receives all > > > > connections there, for example > > > > a connection to redis.example.com:1234 would be proxy_pass'ed to > > > > some port in the > > > > machine, a connection to www.example.com:1234 to another, etc. > > > > > > > > i used nginx itself to terminate the tls for all services for > > > > convenience > > > > > > > > the problem: > > > > now here is the issue, 1: postgres does some weird custom ssl > > > > stuff, which means I > > > > cannot terminate the ssl from within nginx > > > > > > In this case there must be an SSL error logged in nginx error log. > > > Can you post it? > > > > Postgres uses their own protocol with STARTTLS-like interface to > > initiate SSL handshake, see here: > > > > https://www.postgresql.org/docs/current/protocol-flow.html#id-1.10.6.7.12 > > > > That is, it's not going to work with neither SSL termination, nor > > SSL preread, and needs an implementation of the Postgres protocol. > > > > [...] > > > > Out of curiosity I looked into what 'others' had done for Postgres's > application level negotiation. > > https://github.com/envoyproxy/envoy/issues/10942 > > OP, it might be possible for you to hack this into ssl_preread.c in > ngx_stream_ssl_preread_handler in a similar fashion to that > workaround. > > It seems you just need to listen / wait for the SSLRequest magic > message bytes, send the 'fake' response, then do the normal handshake > logic. > > https://www.postgresql.org/docs/current/protocol-message-formats.html > > The other issue is if you want TLS from NGINX -> Postgresql Upstream > you'd need another hack somewhere in ngx_stream_proxy_module.c > (or a custom content handler as mentioned above). Or even in ngx_stream_handler.c to do it properly, similar to how proxy protocol is handled (obviously with writes too). _______________________________________________ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
