Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

L4 module for Postgres #186

Merged
merged 7 commits into from
May 3, 2024
Merged

L4 module for Postgres #186

merged 7 commits into from
May 3, 2024

Conversation

metafeather
Copy link
Contributor

This a simple module to detect and match on Postgres connections in a similar manner that the SSH module uses.

Currently it can be used to multiplex a single database connection along with HTTP/S and SSH to avoid needed to open additional ports:

            "routes": [
              {
                "match": [
                  {
                    "postgres": {}
                  }
                ],
                "handle": [
                  {
                    "handler": "proxy",
                    "upstreams": [
                      {
                        "dial": [
                          "postgres.localhost:5432"
                        ]
                      }
                    ]
                  }
                ]
              }
            ]

@metafeather
L4 Matcher based on SSH module and published resources
13e17e7 
- Detects Postgres connections based on `StartupMessage` and `SSLRequest` message formats defined in the protocol documentation
@metafeather
Include Postgres module by default
b618359
@metafeather
Add to README
e2bcca6
mholt
mholt requested changes May 2, 2024
View reviewed changes
Copy link
Owner

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! Looks like a great start.

Can we add the Apache license notice to the beginning of the file? https://github.com/mholt/caddy-l4?tab=Apache-2.0-1-ov-file#readme

Then, let's just unexport identifiers that aren't used outside the package. (I've highlighted some examples but other code changes will be needed to compile of course.)

Then we can probably merge this in. Thanks!

modules/l4postgres/matcher.go Outdated Show resolved Hide resolved
modules/l4postgres/matcher.go Outdated Show resolved Hide resolved
modules/l4postgres/matcher.go Outdated Show resolved Hide resolved
modules/l4postgres/matcher.go Outdated Show resolved Hide resolved
@metafeather
Copy link
Contributor Author

Thanks for the feedback, all done

@metafeather metafeather requested a review from mholt May 2, 2024 21:55
mholt
mholt approved these changes May 2, 2024
View reviewed changes
Copy link
Owner

@mholt mholt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Looks good for now. Let's give it a try :)

modules/l4postgres/matcher.go Outdated Show resolved Hide resolved
@metafeather metafeather mentioned this pull request May 3, 2024
Closed
@metafeather metafeather mentioned this pull request May 3, 2024
Draft
@mholt mholt merged commit 145ec36 into mholt:master May 3, 2024
6 checks passed
@mohammed90 mohammed90 mentioned this pull request May 4, 2024
Open
@coolaj86
Copy link

coolaj86 commented May 4, 2024
edited
Loading

The first 8 bytes are the Postgres' bespoke SSLRequest.

The server (caddy) needs to respond with S, after which the very next bytes will be the normal TLS hello containing the SNI so that the connection can be matched and routed to the correct server.

At that time, the SSLRequest needs to be sent to the Postgres Server, the S response byte should be eaten, and the connection can handed off completely at that point.

Without sending S, there's no way to know which Postgres server the request should be routed to.

It looks like we could add the cx.Write('S')... but I'm not clear on how we'd pass that off to the TLS handler and then hand control back for the SSLRequest to be repeated before letting go of control.

Thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mohammed90 mohammed90 mohammed90 left review comments

@coolaj86 coolaj86 coolaj86 left review comments

@mholt mholt mholt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@metafeather @coolaj86 @mholt @mohammed90