Skip to content

How to enable ssl termination for HA proxy in PostgresSQL? #36

New issue
New issue
Open
Open
How to enable ssl termination for HA proxy in PostgresSQL?#36
@snehalasarode

Description

@snehalasarode
snehalasarode
opened on Aug 26, 2020

I deployed the postgres using this repository and it is working fine. Now, I want to enable the ssl for postgresql. for that i did the changes in Haproxy.conf. below is my haproxy.conf

global
  log 127.0.0.1 syslog info
  daemon
  user vcap
  group vcap
  maxconn 64000
  spread-checks 4
  stats socket /var/vcap/sys/run/vip/haproxy.sock mode 600 level admin
  stats timeout 2m
  external-check
  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
  ssl-server-verify none

defaults
  log global
  maxconn 64000
  option contstats
  timeout connect 5m
  timeout client  30m
  timeout server  30m
  timeout queue   30m

frontend postgres
  mode tcp
  bind :5432 ssl crt /var/vcap/jobs/vip/config/privkey.pem
  default_backend postgres

backend postgres
  mode tcp
  option external-check
  external-check command "/var/vcap/jobs/postgres/bin/healthy"
  external-check path    "/var/vcap/packages/postgres/bin:/bin:/usr/bin:/sbin:/usr/sbin"
  server node0 x.x.x.x:6432 check inter 1000
  server node1 x.x.x.x:6432 check inter 1000

frontend postgres-read-replica
  mode tcp
  bind :7432
  default_backend postgres-read-replica

backend postgres-read-replica
  mode tcp
  option external-check
  external-check command "/var/vcap/jobs/postgres/bin/healthy"
  server node0 x.x.x.x:6432 check inter 1000
  server node1 x.x.x.x:6432 check inter 1000

I am using openssl to create the certificate for ssl. After changes into Haproxy.conf file i restarted all the components and it is in running state. When i am trying to connect postgres with ssl using postgres client it is giving me EOF error.
@jhunt can you guide me what exact steps i need perform to enable ssl termination for postgresql?

Activity

snehalasarode
changed the title [-]How to enable ssl termination for HA proxy in postgressql?[/-] [+]How to enable ssl termination for HA proxy in PostgresSQL?[/+] on Aug 26, 2020
jhunt

jhunt commented on Aug 26, 2020

@jhunt
jhunt
on Aug 26, 2020
Contributor

I would do the SSL termination at the PostgreSQL itself.

That said, I think I personally would move off of this BOSH release and onto something like the Containers BOSH release, and run the upstream postgres image. I've updated that repo to include an example of a single-node postgres deployment with TLS as a hard requirement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      How to enable ssl termination for HA proxy in PostgresSQL? · Issue #36 · cloudfoundry-community/postgres-boshrelease