On Sat, Apr 2, 2022 at 12:17 AM wilfried roset <wilfried.ro...@gmail.com> wrote:
> Hi, > > I've been able to test the patch. Here is a recap of the experimentation. > > # Setup > > All tests have been done witch 3 VMs (PostgreSQL, HAproxy, psql client) on > Debian 11 communicating over private network. > * PostgreSQL have been built with proxy_protocol_11.patch applied on > master branch (465ab24296). > * psql client is from postgresql-client-13 from Debian 11 repository. > * HAproxy version used is 2.5.5-1~bpo11+1 installed from > https://haproxy.debian.net > > # Configuration > > PostgresSQL has been configured to listen only on its private IP. To enable > proxy protocol support `proxy_port` has been configured to `5431` and > `proxy_servers` to `10.0.0.0/24` <http://10.0.0.0/24>. `log_connections` > has been turned on to make > sure the correct IP address is logged. `log_min_duration_statement` has > been > configured to 0 to log all queries. Finally `log_destination` has been > configured to `csvlog`. > > pg_hba.conf is like this: > > local all all trust > host all all 127.0.0.1/32 trust > host all all ::1/128 trust > local replication all trust > host replication all 127.0.0.1/32 trust > host replication all ::1/128 trust > host all all 10.0.0.208/32 md5 > > Where 10.0.0.208 is the IP host the psql client's VM. > > HAproxy has two frontends, one for proxy protocol (port 5431) and one for > regular TCP traffic. The configuration looks like this: > > listen postgresql > bind 10.0.0.222:5432 > server pg 10.0.0.253:5432 check > > listen postgresql_proxy > bind 10.0.0.222:5431 > server pg 10.0.0.253:5431 send-proxy-v2 > > Where 10.0.0.222 is the IP of HAproxy's VM and 10.0.0.253 is the IP of > PostgreSQL's VM. > > # Tests > > * from psql's vm to haproxy on port 5432 (no proxy protocol) > --> connection denied by pg_hba.conf, as expected > > * from psql's vm to postgresql's VM on port 5432 (no proxy protocol) > --> connection success with psql's vm ip in logfile and pg_stat_activity > > * from psql's vm to postgresql's VM on port 5431 (proxy protocol) > --> unable to open a connection, as expected > > * from psql's vm to haproxy on port 5431 (proxy protocol) > --> connection success with psql's vm ip in logfile and pg_stat_activity > > I've also tested without proxy protocol enable (and pg_hba.conf updated > accordingly), PostgreSQL behave as expected. > > # Conclusion > > From my point of view the documentation is clear enough and the feature > works > as expected. Hi! Thanks for this review and testing! I think it could do with at least noe more look-over at the source code level as well at this point though since it's been sitting around for a while, so it won't make it in for this deadline. But hopefully I can get it in early in the next cycle! -- Magnus Hagander Me: https://www.hagander.net/ <http://www.hagander.net/> Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>
