On Thu, 29 Oct 2020 at 03:41, Anand Rao <[email protected]> wrote:
> Hi, > > I'm looking for a TCP proxy that can proxy the connection between a > database client and the database server. I want to be able to look at the > traffic and log the queries etc for mining later. I also want to use the > proxy to remove human knowledge of passwords. The users will point their > client to the TCP Port proxy is listening on and will specify a username > which will be a pointer to a vault account (like cyberark or beyondtrust). > The proxy upon receiving this information will then connect to this vault > and get the password and plug the password in for the connection to the > database server. After the connection is established - all traffic should > be proxied through and logged. > > Would HAProxy be a product that can achieve this? If not, I'd like to ask > this knowledgeable community if they can recommend any other projects that > might be closer to achieve the above. I understand this is a very niche > requirement. Any TCP proxy with the ability to script/transform the packets > on the way to the destination would be helpful. I'm trying to find > something in the open source community that I can use for my needs than > having to write one myself. > Hey Anand, I don’t think haproxy is what you’re looking for. You’re looking for more than a TCP proxy: you need a DB-specific-protocol-proxy. Haproxy can listen for HTTP, above the TCP layer, but not any specific DB protocols. I think you need to look for a proxy that’s designed to work with the specific DB you’re wanting to expose. For mysql, “mysql-proxy” and “mysql-router” come to mind. -proxy never went GA, and I’ve not used -router. Given your requirement for the proxy to dynamically fetch credentials, out of band from the connection, I think you’ll find your options to be limited. I know mysql-proxy had Lua embedded (I don’t know about mysql-router) but I’m not sure if it exposed enough Lua libraries to achieve what you’re looking for. For postgres, I’m afraid I’m only aware of “pgbouncer”. If none of these tools does 100% of what you want, you might be able to combine them with haproxy to achieve something closer to what you need. Your “everything is logged” requirement, depending on the level to which you need things logged, will likely be a sticking point. Best of luck, Jonathan > -- Jonathan Matthews https://jpluscplusm.com
