Cannot connect to Postgres via IP with sslmode=require

mootari · June 13, 2023, 10:42am

(edit: please see the next comment)

I have a public Postgres cluster (dedicated IPv4), and I am unable to connect to it via Terraform when using sslmode=require. I suspect this may be an issue with some Go libraries, but I’d like to learn more about the pg_tls handler’s implementation because so far I haven’t been able to find any related Go bug reports.

Additional details

I can connect via psql, which reports

SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)

I can connect via terraform if I use sslmode=disable
I see the error both with the pg backend and the cyrilgdn/postgresql provider.
Even with TF_LOG=trace there are no messages related to the error. The last entry before the error is
```
Meta.Backend: ignoring local "default" workspace because its state is empty
```

Steps to reproduce

create a new Postgres app, save the connection string
allocate a dedicated IPv4 (if you’re on macOS, otherwise an IPv6 may work as well)
install Terraform

create a new directory, and in that directory create a file main.tf with the content:

terraform {
  backend "pg" {
    conn_str = "postgres://postgres:YOUR_PASS@YOUR_APP_NAME.fly.dev:5432?sslmode=require"
  }
}

inside the directory, run terraform init

mootari · June 14, 2023, 11:36am

I might have found the problem: Connecting via psql fails as well if I set hostname to an allocated IP (v6 or dedicated v4) instead of the the app’s .fly.dev domain.
I suspect that Terraform resolves the hostname internally and connects via the IP, which bypasses the TLS proxy. Unfortunately I’m not sure how I can verify that assumption.

How can I proceed here? Do I need to set up my own TLS proxy if I want to support secure external connections via an IP (and without Wireguard)?

system · June 21, 2023, 11:36am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.