Re: PROXY protocol support - Mailing list pgsql-hackers
| From | Magnus Hagander |
|---|---|
| Subject | Re: PROXY protocol support |
| Date | |
| Msg-id | CABUevEx5N2YHaECDXz+9fXj9ciC73BxJ3Ddf0v=s_GeZk56crw@mail.gmail.com Whole thread Raw |
| In response to | Re: PROXY protocol support (wilfried roset <wilfried.roset@gmail.com>) |
| Responses |
Re: PROXY protocol support
(Jacob Champion <jchampion@timescale.com>)
|
| List | pgsql-hackers |
On Sat, Apr 2, 2022 at 12:17 AM wilfried roset <wilfried.roset@gmail.com> wrote:
Hi,
I've been able to test the patch. Here is a recap of the experimentation.
# Setup
All tests have been done witch 3 VMs (PostgreSQL, HAproxy, psql client) on
Debian 11 communicating over private network.
* PostgreSQL have been built with proxy_protocol_11.patch applied on master branch (465ab24296).
* psql client is from postgresql-client-13 from Debian 11 repository.
* HAproxy version used is 2.5.5-1~bpo11+1 installed from https://haproxy.debian.net
# Configuration
PostgresSQL has been configured to listen only on its private IP. To enable
proxy protocol support `proxy_port` has been configured to `5431` and
`proxy_servers` to `10.0.0.0/24`. `log_connections` has been turned on to make
sure the correct IP address is logged. `log_min_duration_statement` has been
configured to 0 to log all queries. Finally `log_destination` has been
configured to `csvlog`.
pg_hba.conf is like this:
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
host all all 10.0.0.208/32 md5
Where 10.0.0.208 is the IP host the psql client's VM.
HAproxy has two frontends, one for proxy protocol (port 5431) and one for
regular TCP traffic. The configuration looks like this:
listen postgresql
bind 10.0.0.222:5432
server pg 10.0.0.253:5432 check
listen postgresql_proxy
bind 10.0.0.222:5431
server pg 10.0.0.253:5431 send-proxy-v2
Where 10.0.0.222 is the IP of HAproxy's VM and 10.0.0.253 is the IP of
PostgreSQL's VM.
# Tests
* from psql's vm to haproxy on port 5432 (no proxy protocol)
--> connection denied by pg_hba.conf, as expected
* from psql's vm to postgresql's VM on port 5432 (no proxy protocol)
--> connection success with psql's vm ip in logfile and pg_stat_activity
* from psql's vm to postgresql's VM on port 5431 (proxy protocol)
--> unable to open a connection, as expected
* from psql's vm to haproxy on port 5431 (proxy protocol)
--> connection success with psql's vm ip in logfile and pg_stat_activity
I've also tested without proxy protocol enable (and pg_hba.conf updated
accordingly), PostgreSQL behave as expected.
# Conclusion
From my point of view the documentation is clear enough and the feature works
as expected.
Hi!
Thanks for this review and testing!
I think it could do with at least noe more look-over at the source code level as well at this point though since it's been sitting around for a while, so it won't make it in for this deadline. But hopefully I can get it in early in the next cycle!
pgsql-hackers by date: