New proxy handler: pg_tls (PostgreSQL sslmode)

There’s a new handler available for exposing your PostgreSQL instance over the proxy in a secure manner: pg_tls.

How to use?

First, get your current config if you don’t already have it

fly config save -a <your-pg-fly-app-name>

Then, modify your fly.toml, adding this service:

internal_port = 5432
protocol = "tcp"

handlers = ["pg_tls"]
port = 5432

Figure out which image and tag (postgres version) you’re on:

$ fly image show -a <your-pg-fly-app-name>
Image Details
  Registry   =
  Repository = flyio/postgres
  Tag        = 13.6
  Version    = v0.0.32

Finally, deploy your cluster (using --image with the image:tag found in the previous step):

fly deploy --image flyio/postgres:13.6

You should then be able to access your PG cluster via psql like:

$ psql "sslmode=require host=<your-pg-fly-app-name> dbname=<db name> user=<username>"
Password for user <username>:
psql (14.5 (Homebrew), server 13.6 (Debian 13.6-1.pgdg110+1))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

<db name>=#

Note: this only works for sslmode=require or sslmode=prefer, any other options will close the connection.

Edit: sslmode=disable is now supported. A setting could be provided to only allow SSL I imagine. If anybody has that need, let us know.


37 posts were split to a new topic: and the pg_tls handler

this is amazing. i was able to use handlers = ["pg_tls", "proxy_proto"] which feeds into haproxy with bind *:5432 accept-proxy and have ip based filtering for incoming connection.