diff --git a/proxy/src/auth/backend/link.rs b/proxy/src/auth/backend/link.rs index 415a4b7d85..06c0cc051e 100644 --- a/proxy/src/auth/backend/link.rs +++ b/proxy/src/auth/backend/link.rs @@ -121,6 +121,5 @@ pub(super) async fn authenticate( Ok(NodeInfo { config, aux: db_info.aux, - allow_self_signed_compute: false, // caller may override }) } diff --git a/proxy/src/bin/proxy.rs b/proxy/src/bin/proxy.rs index 30f2e6f4b7..a5798817e5 100644 --- a/proxy/src/bin/proxy.rs +++ b/proxy/src/bin/proxy.rs @@ -42,6 +42,7 @@ use tokio::net::TcpListener; use tokio::sync::Mutex; use tokio::task::JoinSet; use tokio_util::sync::CancellationToken; +use tracing::error; use tracing::info; use tracing::warn; use tracing::Instrument; @@ -507,7 +508,7 @@ fn build_config(args: &ProxyCliArgs) -> anyhow::Result<&'static ProxyConfig> { }; if args.allow_self_signed_compute { - warn!("allowing self-signed compute certificates"); + error!("self-signed compute is not supported"); } let backup_metric_collection_config = config::MetricBackupCollectionConfig { interval: args.metric_backup_collection_interval, @@ -645,7 +646,6 @@ fn build_config(args: &ProxyCliArgs) -> anyhow::Result<&'static ProxyConfig> { tls_config, auth_backend, metric_collection, - allow_self_signed_compute: args.allow_self_signed_compute, http_config, authentication_config, require_client_ip: args.require_client_ip, diff --git a/proxy/src/compute.rs b/proxy/src/compute.rs index 4433b3c1c2..54f2276aeb 100644 --- a/proxy/src/compute.rs +++ b/proxy/src/compute.rs @@ -274,7 +274,6 @@ impl ConnCfg { pub async fn connect( &self, ctx: &mut RequestMonitoring, - allow_self_signed_compute: bool, aux: MetricsAuxInfo, timeout: Duration, ) -> Result { @@ -282,10 +281,7 @@ impl ConnCfg { let (socket_addr, stream, host) = self.connect_raw(timeout).await?; drop(pause); - let tls_connector = native_tls::TlsConnector::builder() - .danger_accept_invalid_certs(allow_self_signed_compute) - .build() - .unwrap(); + let tls_connector = native_tls::TlsConnector::builder().build().unwrap(); let mut mk_tls = postgres_native_tls::MakeTlsConnector::new(tls_connector); let tls = MakeTlsConnect::::make_tls_connect(&mut mk_tls, host)?; diff --git a/proxy/src/config.rs b/proxy/src/config.rs index 5a0c251ce2..1405d25f72 100644 --- a/proxy/src/config.rs +++ b/proxy/src/config.rs @@ -27,7 +27,6 @@ pub struct ProxyConfig { pub tls_config: Option, pub auth_backend: auth::BackendType<'static, (), ()>, pub metric_collection: Option, - pub allow_self_signed_compute: bool, pub http_config: HttpConfig, pub authentication_config: AuthenticationConfig, pub require_client_ip: bool, diff --git a/proxy/src/console/provider.rs b/proxy/src/console/provider.rs index 3b996cdbd1..cd8fe671ef 100644 --- a/proxy/src/console/provider.rs +++ b/proxy/src/console/provider.rs @@ -287,9 +287,6 @@ pub struct NodeInfo { /// Labels for proxy's metrics. pub aux: MetricsAuxInfo, - - /// Whether we should accept self-signed certificates (for testing) - pub allow_self_signed_compute: bool, } impl NodeInfo { @@ -298,17 +295,9 @@ impl NodeInfo { ctx: &mut RequestMonitoring, timeout: Duration, ) -> Result { - self.config - .connect( - ctx, - self.allow_self_signed_compute, - self.aux.clone(), - timeout, - ) - .await + self.config.connect(ctx, self.aux.clone(), timeout).await } pub fn reuse_settings(&mut self, other: Self) { - self.allow_self_signed_compute = other.allow_self_signed_compute; self.config.reuse_password(other.config); } diff --git a/proxy/src/console/provider/mock.rs b/proxy/src/console/provider/mock.rs index cfe491f2aa..60d488c973 100644 --- a/proxy/src/console/provider/mock.rs +++ b/proxy/src/console/provider/mock.rs @@ -126,7 +126,6 @@ impl Api { branch_id: (&BranchId::from("branch")).into(), cold_start_info: crate::console::messages::ColdStartInfo::Warm, }, - allow_self_signed_compute: false, }; Ok(node) diff --git a/proxy/src/console/provider/neon.rs b/proxy/src/console/provider/neon.rs index 7728d2cafa..b9d074b1d5 100644 --- a/proxy/src/console/provider/neon.rs +++ b/proxy/src/console/provider/neon.rs @@ -175,7 +175,6 @@ impl Api { let node = NodeInfo { config, aux: body.aux, - allow_self_signed_compute: false, }; Ok(node) diff --git a/proxy/src/proxy.rs b/proxy/src/proxy.rs index 5824b70df9..43f9f6261a 100644 --- a/proxy/src/proxy.rs +++ b/proxy/src/proxy.rs @@ -178,13 +178,6 @@ impl ClientMode { } } - pub fn allow_self_signed_compute(&self, config: &ProxyConfig) -> bool { - match self { - ClientMode::Tcp => config.allow_self_signed_compute, - ClientMode::Websockets { .. } => false, - } - } - fn hostname<'a, S>(&'a self, s: &'a Stream) -> Option<&'a str> { match self { ClientMode::Tcp => s.sni_hostname(), @@ -311,7 +304,6 @@ pub async fn handle_client( locks: &config.connect_compute_locks, }, &user_info, - mode.allow_self_signed_compute(config), config.wake_compute_retry_config, config.connect_to_compute_retry_config, ) diff --git a/proxy/src/proxy/connect_compute.rs b/proxy/src/proxy/connect_compute.rs index c8528d0296..584cdff490 100644 --- a/proxy/src/proxy/connect_compute.rs +++ b/proxy/src/proxy/connect_compute.rs @@ -99,7 +99,6 @@ pub async fn connect_to_compute( ctx: &mut RequestMonitoring, mechanism: &M, user_info: &B, - allow_self_signed_compute: bool, wake_compute_retry_config: RetryConfig, connect_to_compute_retry_config: RetryConfig, ) -> Result @@ -113,7 +112,6 @@ where if let Some(keys) = user_info.get_keys() { node_info.set_keys(keys); } - node_info.allow_self_signed_compute = allow_self_signed_compute; // let mut node_info = credentials.get_node_info(ctx, user_info).await?; mechanism.update_connect_config(&mut node_info.config); let retry_type = RetryType::ConnectToCompute; diff --git a/proxy/src/proxy/tests.rs b/proxy/src/proxy/tests.rs index ad48af0093..f0aeb24423 100644 --- a/proxy/src/proxy/tests.rs +++ b/proxy/src/proxy/tests.rs @@ -523,7 +523,6 @@ fn helper_create_cached_node_info(cache: &'static NodeInfoCache) -> CachedNodeIn branch_id: (&BranchId::from("branch")).into(), cold_start_info: crate::console::messages::ColdStartInfo::Warm, }, - allow_self_signed_compute: false, }; let (_, node) = cache.insert("key".into(), node); node @@ -558,7 +557,7 @@ async fn connect_to_compute_success() { max_retries: 5, backoff_factor: 2.0, }; - connect_to_compute(&mut ctx, &mechanism, &user_info, false, config, config) + connect_to_compute(&mut ctx, &mechanism, &user_info, config, config) .await .unwrap(); mechanism.verify(); @@ -576,7 +575,7 @@ async fn connect_to_compute_retry() { max_retries: 5, backoff_factor: 2.0, }; - connect_to_compute(&mut ctx, &mechanism, &user_info, false, config, config) + connect_to_compute(&mut ctx, &mechanism, &user_info, config, config) .await .unwrap(); mechanism.verify(); @@ -595,7 +594,7 @@ async fn connect_to_compute_non_retry_1() { max_retries: 5, backoff_factor: 2.0, }; - connect_to_compute(&mut ctx, &mechanism, &user_info, false, config, config) + connect_to_compute(&mut ctx, &mechanism, &user_info, config, config) .await .unwrap_err(); mechanism.verify(); @@ -614,7 +613,7 @@ async fn connect_to_compute_non_retry_2() { max_retries: 5, backoff_factor: 2.0, }; - connect_to_compute(&mut ctx, &mechanism, &user_info, false, config, config) + connect_to_compute(&mut ctx, &mechanism, &user_info, config, config) .await .unwrap(); mechanism.verify(); @@ -644,7 +643,6 @@ async fn connect_to_compute_non_retry_3() { &mut ctx, &mechanism, &user_info, - false, wake_compute_retry_config, connect_to_compute_retry_config, ) @@ -666,7 +664,7 @@ async fn wake_retry() { max_retries: 5, backoff_factor: 2.0, }; - connect_to_compute(&mut ctx, &mechanism, &user_info, false, config, config) + connect_to_compute(&mut ctx, &mechanism, &user_info, config, config) .await .unwrap(); mechanism.verify(); @@ -685,7 +683,7 @@ async fn wake_non_retry() { max_retries: 5, backoff_factor: 2.0, }; - connect_to_compute(&mut ctx, &mechanism, &user_info, false, config, config) + connect_to_compute(&mut ctx, &mechanism, &user_info, config, config) .await .unwrap_err(); mechanism.verify(); diff --git a/proxy/src/serverless/backend.rs b/proxy/src/serverless/backend.rs index 52fc7b556a..d76b7d25d1 100644 --- a/proxy/src/serverless/backend.rs +++ b/proxy/src/serverless/backend.rs @@ -126,7 +126,6 @@ impl PoolingBackend { locks: &self.config.connect_compute_locks, }, &backend, - false, // do not allow self signed compute for http flow self.config.wake_compute_retry_config, self.config.connect_to_compute_retry_config, ) diff --git a/test_runner/fixtures/neon_fixtures.py b/test_runner/fixtures/neon_fixtures.py index b8ef63faa9..66c128c7d7 100644 --- a/test_runner/fixtures/neon_fixtures.py +++ b/test_runner/fixtures/neon_fixtures.py @@ -3039,7 +3039,6 @@ class NeonProxy(PgProtocol): # Link auth backend params *["--auth-backend", "link"], *["--uri", NeonProxy.link_auth_uri], - *["--allow-self-signed-compute", "true"], ] class Console(AuthBackend):