Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to enable ssl termination for HA proxy in PostgresSQL? #36

Open
snehalasarode opened this issue Aug 26, 2020 · 1 comment
Open

How to enable ssl termination for HA proxy in PostgresSQL? #36

snehalasarode opened this issue Aug 26, 2020 · 1 comment

Comments

@snehalasarode
Copy link

snehalasarode commented Aug 26, 2020
edited
Loading

I deployed the postgres using this repository and it is working fine. Now, I want to enable the ssl for postgresql. for that i did the changes in Haproxy.conf. below is my haproxy.conf

global
  log 127.0.0.1 syslog info
  daemon
  user vcap
  group vcap
  maxconn 64000
  spread-checks 4
  stats socket /var/vcap/sys/run/vip/haproxy.sock mode 600 level admin
  stats timeout 2m
  external-check
  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-server-verify none

defaults
  log global
  maxconn 64000
  option contstats
  timeout connect 5m
  timeout client  30m
  timeout server  30m
  timeout queue   30m

frontend postgres
  mode tcp
  bind :5432 ssl crt /var/vcap/jobs/vip/config/privkey.pem
  default_backend postgres

backend postgres
  mode tcp
  option external-check
  external-check command "/var/vcap/jobs/postgres/bin/healthy"
  external-check path    "/var/vcap/packages/postgres/bin:/bin:/usr/bin:/sbin:/usr/sbin"
  server node0 x.x.x.x:6432 check inter 1000
  server node1 x.x.x.x:6432 check inter 1000

frontend postgres-read-replica
  mode tcp
  bind :7432
  default_backend postgres-read-replica

backend postgres-read-replica
  mode tcp
  option external-check
  external-check command "/var/vcap/jobs/postgres/bin/healthy"
  server node0 x.x.x.x:6432 check inter 1000
  server node1 x.x.x.x:6432 check inter 1000

I am using openssl to create the certificate for ssl. After changes into Haproxy.conf file i restarted all the components and it is in running state. When i am trying to connect postgres with ssl using postgres client it is giving me EOF error.
@jhunt can you guide me what exact steps i need perform to enable ssl termination for postgresql?
@snehalasarode snehalasarode changed the title How to enable ssl termination for HA proxy in postgressql? How to enable ssl termination for HA proxy in PostgresSQL? Aug 26, 2020
@jhunt
Copy link
Contributor

jhunt commented Aug 26, 2020

I would do the SSL termination at the PostgreSQL itself.

That said, I think I personally would move off of this BOSH release and onto something like the Containers BOSH release, and run the upstream postgres image. I've updated that repo to include an example of a single-node postgres deployment with TLS as a hard requirement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhunt @snehalasarode