Postgres Pro
Downloads
Home   >   mailing lists

Re: PROXY protocol support - Mailing list pgsql-hackers

From wilfried roset
Subject Re: PROXY protocol support
Date
Msg-id 164885141909.1182.16644150267648497596.pgcf@coridan.postgresql.org
Whole thread Raw
In response to Re: PROXY protocol support  (Magnus Hagander <magnus@hagander.net>)
Responses Re: PROXY protocol support  (Magnus Hagander <magnus@hagander.net>)
List pgsql-hackers
Tree view 
Hi,

I've been able to test the patch. Here is a recap of the experimentation.

# Setup

All tests have been done witch 3 VMs (PostgreSQL, HAproxy, psql client) on
Debian 11 communicating over private network.
* PostgreSQL have been built with proxy_protocol_11.patch applied on master branch (465ab24296).
* psql client is from postgresql-client-13 from Debian 11 repository.
* HAproxy version used is 2.5.5-1~bpo11+1 installed from https://haproxy.debian.net

# Configuration

PostgresSQL has been configured to listen only on its private IP. To enable
proxy protocol support `proxy_port` has been configured to `5431` and
`proxy_servers` to `10.0.0.0/24`. `log_connections` has been turned on to make
sure the correct IP address is logged. `log_min_duration_statement` has been
configured to 0 to log all queries. Finally `log_destination` has been
configured to `csvlog`.

pg_hba.conf is like this:

  local   all             all                                     trust
  host    all             all             127.0.0.1/32            trust
  host    all             all             ::1/128                 trust
  local   replication     all                                     trust
  host    replication     all             127.0.0.1/32            trust
  host    replication     all             ::1/128                 trust
  host    all             all             10.0.0.208/32           md5

Where 10.0.0.208 is the IP host the psql client's VM.

HAproxy has two frontends, one for proxy protocol (port 5431) and one for
regular TCP traffic. The configuration looks like this:

  listen postgresql
      bind 10.0.0.222:5432
      server pg 10.0.0.253:5432 check

  listen postgresql_proxy
      bind 10.0.0.222:5431
      server pg 10.0.0.253:5431 send-proxy-v2

Where 10.0.0.222 is the IP of HAproxy's VM and 10.0.0.253 is the IP of
PostgreSQL's VM.

# Tests

* from psql's vm to haproxy on port 5432 (no proxy protocol)
  --> connection denied by pg_hba.conf, as expected

* from psql's vm to postgresql's VM on port 5432 (no proxy protocol)
  --> connection success with psql's vm ip in logfile and pg_stat_activity

* from psql's vm to postgresql's VM on port 5431 (proxy protocol)
  --> unable to open a connection, as expected

* from psql's vm to haproxy on port 5431 (proxy protocol)
  --> connection success with psql's vm ip in logfile and pg_stat_activity

I've also tested without proxy protocol enable (and pg_hba.conf updated
accordingly), PostgreSQL behave as expected.

# Conclusion

From my point of view the documentation is clear enough and the feature works
as expected.

pgsql-hackers by date:

Previous
From: Nathan Bossart
Date:
Subject: use has_privs_of_role() for pg_hba.conf
Next
From: Nathan Bossart
Date:
Subject: Re: [Proposal] vacuumdb --schema only