You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are interested in this issue, but we’re unsure about the use case and the traction it will receive. We are going to leave the status as kind/proposal to give the community time to let us know if they would like this idea.
We will reevaluate as people respond.
Thanks @nmengin for clarification! Indeed, traefik also allows Passthrough, eliminating the need to re-encrypt traffic. Anyway, here's our (very niche) use-case:
We're running traefik at the edge of our network with a wildcard certificate issued by a publicly trusted CA, but each of the Postgres servers (behind traefik) is running with a self-signed certificate issued exclusively for that server. I guess we shouldn't give ONE wildcard cert to ALL the Postgres servers (and we cant allow plaintext traffic)? To make the usecase more discernible, imagine Cloudflare proxying Postgres.
Welcome!
What did you expect to see?
First, thanks all the contributors for the wonderful PR #9377. I've connected to Postgres with
PGSSLMODE=require
. It works like a charm!Now, how can we enable STARTTLS (essentially use PGSSLMODE=require) while forwarding the request to the origin server?
Envoy apparently allows to set upstream sslmode https://github.com/envoyproxy/envoy/blob/af915efe430a670a9eed89bd57778657374acd4e/api/contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto#L24 but I couldn't get envoy/istio to work.
If you'd like to reproduce the scenario with traefik (for non-STARTTLS Postgres),
Gateway
definitionThe text was updated successfully, but these errors were encountered: