How to require TLS for frontend connections to postgresql proxy

[Rss Reader]

Hi, 
So TLS works when connecting with psql by default.  But if I disable TLS I can still connect and all the data is in cleartext (I confirmed with tcpdump).   At least the password is SCRAM-SHA256. But still this is not ideal.   How can I enforce clients to use TLS when connecting?

PGSSLMODE=disable psql -h test.proxy.example.com -p 6133 -U mike -d testing
Password for user mike:
psql (10.23, server 16.1)
WARNING: psql major version 10, server major version 16.
         Some psql features might not work.
Type "help" for help.

testing=> SELECT * FROM students ;

Without the 'disable' setting it uses TLS by default:

psql -h test.proxy.example.com -p 6133 -U mike -d testing
Password for user mike:

psql (10.23, server 16.1)
WARNING: psql major version 10, server major version 16.
         Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

testing=> 

ProxySQL version 3.0.4-162-gfaa64a5, codename Truls

Setting use_ssl=1 doesn't make any difference to anything:
pgsql_users=(
    {
        username="mike"
        password="XXXXXXXXXXXXXXXXX"
        default_hostgroup=10
        max_connections=100
        default_schema="public"
        active=1
        use_ssl=1
    },

I'm guessing this is just not a feature yet.

Mike

[Rahim Kanji]

Hi Mike,

Thank you for reporting this issue! It has been addressed in PR #5285. Appreciate your help!  

Regards,

Rahim Kanji