I need ssl connection between postgresql (patroni cluster) and Haproxy but I didnt find any related docs. Is it possible to configure haproxy via ssl without using pgbouncer or pgpool tools.
I can connect directly to the database server with ssl configuration
but I can't connect by using Haproxy,
-bash-4.2$ psql -d "host=x.x.x.x port=7010 dbname=postgres user=test"
psql: error: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
-bash-4.2$
there is no log record on postgresql.
Thanks.
Related
Is it possible to terminate SSL at an AWS ELB to front a Postgres Server so as to make the following command succeed?
PGSSLMODE=verify-full \
PGSSLROOTCERT=/path/to/go-daddy-root-ca.pem \
PGCONNECT_TIMEOUT=5 \
psql -h my-postgres.example.com -p 5432 -U test_username test-database -c 'select 1';
I'm able to use TCP protocol at the load balancer, and TCP at the instance protocol if I set my ssl certificate and key on the Postgres service w/ the following arguments:
-c
ssl=on
-c
ssl_cert_file=/var/lib/postgresql/my-postgres.example.com.crt
-c
ssl_key_file=/var/lib/postgresql/my-postgres.example.com.key
However, I would like to handle the SSL at the Load Balancer level if possible, so as to not pass certs and keys into the instance running the postgres service. I've tried the following ELB configurations:
LB Proto, Instance Proto, Postres SSL, success/fail
TCP, TCP, on, success
SSL, TCP, on, failure
TCP, SSL, on, failure
SSL, SSL, on, failure
SSL, TCP, off, failure
The failure message is the following:
psql: error: could not connect to server: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
Maybe an NLB would work, of perhaps terminating SSL end-to-end at the Postgres Service level is the only way for a verify-full to succeed?
If it helps for an alternative approach, postgres is running in an EKS cluster.
Thank you for any info you can provide!
We are using NLB in front of the RDS postgres db. Unfortunately, it just "proxies" the requests w/out SSL termination there - the NLB is configured on TCP port 5432. Have you looked at the relatively new AWS RDS proxy - according to the docs it should be able to do the SSL termination, what I'm not sure about is if you can use it without RDS. The other way to go is of course to setup this proxy on your own, with all advantages and disadvantages of this solution.
I'm pointing my application from one PG cluster to another (changing the team that manages the PG cluster), and I'm getting connection errors when trying to connect with a language binding for javascript:
no pg_hba.conf entry for host xxx.x.x.x, user "blah", database "blah", SSL off
I'm led to believe that this is a pg_hba.conf configuration error, but I can connect to the cluster with psql, from the same machine, with the same credentials.
psql: 9.5.7,
PG cluster 10.5
Client: pg-promise 9.3.3
How can this be possible? Is this still definitely an issue with how pg_hba.conf is set up or is there something wrong with how I configured my client? This is not the first time I've used it, I've been connecting to a PG cluster v. 9.5.7 for the last couple of years.
The issue was that the new cluster is using SSL for the connection. When I connected to the old cluster, there was no SSL, so the connection worked with my current config, but when switching to the new cluster I had to specify that SSL was being used.
https://github.com/vitaly-t/pg-promise/wiki/Connection-Syntax
I created a Cloud SQL instance and am trying to connect from my laptop running OSX El Capitan.
I followed the instructions for creating a proxy to run the proxy. I am able to connect if I use a socket file as follows:
sudo ./cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:mysql-instance -credential_file=mycredentials.json
mysql -u root -p -S /cloudsql/my-project:us-central1:mysql-instance
Now I'd like to connect to the Cloud SQL instance from a local python application. So I tried creating the proxy over tcp using =tcp:3306 and testing using the mysql client as follows:
sudo ./cloud_sql_proxy -dir=/cloudsql -instances=my-project:us-central1:mysql-instance=tcp:3306 -credential_file=/web/visi/api/resources/keys/visi-staging-ec040759d57a.json
mysql -u root --host 127.0.0.1 --password
But Im getting this error:
2016/04/06 23:09:58 Got a connection for
"my-project:us-central1:mysql-instance" 2016/04/06 23:09:59
to "my-project:us-central1:mysql-instance" via
111.111.111.111:3307: read tcp 127.0.0.1:3306->127.0.0.1:49518: use of closed network connection ERROR 2026 (HY000): SSL connection error:
error:00000005:lib(0):func(0):DH lib
Try specifying --skip-ssl as an option to your mysql client.
We have a fix for this in progress and should be rolled out in the near future.
The reason this happens is that we reject connections over the proxy that request MySQL SSL. The connection between the proxy and Cloud SQL is already done over SSL so there's no need to use SSL at the MySQL level.
I've installed Postgres.app and modified the port number to 5466, I've enabled listen_addresses='*'.
I've setup 'trust' in pg_hba.conf.
I can connect through the socket via psql. However, psql -h localhost -p 5466 fails and returns *"server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request."
Port 5466 is mapped to postgresql.
Any help as to why I can connect to the socket, but not to localhost would be appreciated. If i connect on another port an error is returned instantly telling me there is no server there, but when I connect on the correct port the connection hangs and returns the error above.
The problem was a program to monitor internet traffic blocked all ports other than 80: https://github.com/PostgresApp/PostgresApp/issues/169
I'm playing around pgpool2.
I'm connecting to postgresql which is running on port 5432 with command psql -U postgres -p 5432 and it's connecting normally.
When I'm connecting to pgpool2 running on 9999 port with command psql -U postgres -p 9999 - it returns back dialog like:
psql: root#master:/linux/path#
What I'm doing wrong? Is there way to connect to pgpool using psql?
I cannot connect to it from application also.
UPD I've got following error pool_do_auth: maybe protocol version mismatch (current version 3)
Solved : Problem was in pgpool auth on backends. Editing pg_hba.conf fixed problem.
This error message and behavior are because of a problem with pgpool authenticating to postgres, not with you authenticating to pgpool as you might suspect. If you check the postgres logs, it will tell you which line in your postgres pg_hba.conf is being rejected.
However, since (IIRC) pgpool cannot do peer authentication, it is probably this one, which says that all local (unix socket) connections will be authenticated by pretending the system username is the postgres username:
local all all peer
You want to change that to:
local all all trust
At least to make things work. However, you will lose some security this way. However, if all your users (that can access the unix socket) are trusted, this is okayish.