Hi, On Tue, 2 Mar 2021 at 14:43, Magnus Hagander <mag...@hagander.net> wrote: > PFA a simple patch that implements support for the PROXY protocol.
Nice. I didn't know I needed this. But in hindsight, I would've used it quite a few times in the past if I could have. > The implementation adds a parameter named proxy_servers which lists > the ips or ip+cidr mask to be trusted. Since a proxy can decide what > the origin is, and this is used for security decisions, it's very > important to not just trust any server, only those that are > intentionally used. By default, no servers are listed, and thus the > protocol is disabled. Might make sense to add special cases for 'samehost' and 'samenet', as in hba rules, as proxy servers are commonly on the same machine or share one of the same internal networks. Despite the security issues, I'm sure people will soon try and set proxy_servers='*' or 'all' if they think this setting works as listen_addresses or as pg_hba. But I don't think I'd make these use cases easier. Tureba - Arthur Nascimento