Hi,
Our setup has stunnel and HAproxy running on same server. Our clients (postgresql clients) connect to port where stunnel is listening. Clients are sending
encrypted data (setting sslmode=require in pgsql connection options). Stunnel listens to encrypted traffic and writes unencrypted traffic to another port on same host where HAproxy is listening. Then, HAProxy passes this request to one of many postgresql servers.
These servers are custom written to implement postgresql protocol. We want IP of the postgresql clients to be captured at the server. HAProxy documentation says that proxy protocol is only way to pass original client IP for non-http traffic. Can you please
suggest how we can configure Stunnel to listen to encrypted postgresql client traffic (pgsql protocol) and write unencrypted data to HAProxy instance in proxy protocol.
Following are our current configurations for stunnel and HAProxy:
Stunnel:
foreground = yes
debug = 5
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
socket = l:SO_KEEPALIVE=1
socket = l:TCP_KEEPIDLE=120
socket = l:TCP_KEEPINTVL=30
socket = l:TCP_KEEPCNT=3
ciphers = HIGH:MEDIUM
[postgres-serverB]
protocol = pgsql
accept = 0.0.0.0:3255
connect = localhost:5433
retry = yes
cert = /etc/stunnel/stunnel.crt
delay = no
sslVersion = TLSv1.2
HAProxy:
listen pgsql
mode tcp
option tcplog
bind *:5433
balance leastconn
timeout server 1d
timeout client 1d
option tcp-check
option clitcpka
server qspgsqlsvr1 host.docker.internal:5432 check
Thanks,
Ashok