作者
digoal
日期
2021-03-03
标签
PostgreSQL , proxy protocol
背景
使用proxy后, 客户端连接proxy, 然后proxy把包转发到PG数据库.
会导致一个问题, 数据库看到的客户端地址会变成proxy的地址. 这个是proxy protocol引入的
https://www.haproxy.com/blog/haproxy/proxy-protocol/
PostgreSQL 邮件组正在讨论, 在数据库中支持proxy protocol协议, 把proxy server配置到proxy_servers参数中, 来自这些IP的包会被解析, 把origin IP(client ip)提取出来替换为包的来源IP, 这样pg_hba.conf就能识别到真正的client ip. 过滤真正的客户端ip.
https://www.postgresql.org/message-id/flat/CABUevEzh6AoLxOvAoZf4WgNYoQv1OReb%3D2_XE49o-wturqUYvw%40mail.gmail.com#bd6b48539e8c601a6367e9b64a08b16e
PFA a simple patch that implements support for the PROXY protocol.
This is a protocol common and very light weight in proxies and load
balancers (haproxy is one common example, but also for example the AWS
cloud load balancers). Basically this protocol prefixes the normal
connection with a header and a specification of what the original host
was, allowing the server to unwrap that and get the correct client
address instead of just the proxy ip address. It is a one-way protocol
in that there is no response from the server, it's just purely a
prefix of the IP information.
Using this when PostgreSQL is behind a proxy allows us to keep using
pg_hba.conf rules based on the original ip address, as well as track
the original address in log messages and pg_stat_activity etc.
The implementation adds a parameter named proxy_servers which lists
the ips or ip+cidr mask to be trusted. Since a proxy can decide what
the origin is, and this is used for security decisions, it's very
important to not just trust any server, only those that are
intentionally used. By default, no servers are listed, and thus the
protocol is disabled.
When specified, and the connection on the normal port has the proxy
prefix on it, and the connection comes in from one of the addresses
listed as valid proxy servers, we will replace the actual IP address
of the client with the one specified in the proxy packet.
Currently there is no information about the proxy server in the
pg_stat_activity view, it's only available as a log message. But maybe
it should go in pg_stat_activity as well? Or in a separate
pg_stat_proxy view?
(In passing, I note that pq_discardbytes were in pqcomm.h, yet listed
as static in pqcomm.c -- but now made non-static)
--
Magnus Hagander
Me: https://www.hagander.net/
Work: https://www.redpill-linpro.com/
PostgreSQL 许愿链接
您的愿望将传达给PG kernel hacker、数据库厂商等, 帮助提高数据库产品质量和功能, 说不定下一个PG版本就有您提出的功能点. 针对非常好的提议,奖励限量版PG文化衫、纪念品、贴纸、PG热门书籍等,奖品丰富,快来许愿。开不开森.
9.9元购买3个月阿里云RDS PostgreSQL实例
PostgreSQL 解决方案集合
德哥 / digoal's github - 公益是一辈子的事.
