rust/neon
1
0
Fork 0
mirror of https://github.com/neondatabase/neon.git synced 2026-01-08 05:52:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6d7dc384a5501cdcc7b159f2c7f31d16a35b2f7b
neon/proxy
History
KlimentSerafimov d059e588a6 Added invariant check for project name. (#1921) 
Summary: Added invariant checking for project name. Refactored ClientCredentials and TlsConfig.

* Added formatting invariant check for project name:
**\forall c \in project_name . c \in [alnum] U {'-'}. 
** sni_data == <project_name>.<common_name>
* Added exhaustive tests for get_project_name.
* Refactored TlsConfig to contain common_name : Option<String>.
* Refactored ClientCredentials construction to construct project_name directly.
* Merged ProjectNameError into ClientCredsParseError.
* Tweaked proxy tests to accommodate refactored ClientCredentials construction semantics. 
* [Pytests] Added project option argument to test_proxy_select_1.
* Removed project param from Api since now it's contained in creds.
* Refactored &Option<String> -> Option<&str>.

Co-authored-by: Dmitrii Ivanov <dima@neon.tech>.
2022-06-22 09:34:24 -04:00
..
src
Added invariant check for project name. (#1921)
2022-06-22 09:34:24 -04:00
Cargo.toml
Added invariant check for project name. (#1921)
2022-06-22 09:34:24 -04:00
README.md
[proxy] Refactor cplane API and add new console SCRAM auth API
2022-05-02 18:32:18 +03:00

README.md

Proxy

Proxy binary accepts --auth-backend CLI option, which determines auth scheme and cluster routing method. Following backends are currently implemented:

  • legacy old method, when username ends with @zenith it uses md5 auth dbname as the cluster name; otherwise, it sends a login link and waits for the console to call back
  • console new SCRAM-based console API; uses SNI info to select the destination cluster
  • postgres uses postgres to select auth secrets of existing roles. Useful for local testing
  • link sends login link for all usernames

Using SNI-based routing on localhost

Now proxy determines cluster name from the subdomain, request to the my-cluster-42.somedomain.tld will be routed to the cluster named my-cluster-42. Unfortunately /etc/hosts does not support domain wildcards, so I usually use *.localtest.me which resolves to 127.0.0.1. Now we can create self-signed certificate and play with proxy:

openssl req -new -x509 -days 365 -nodes -text -out server.crt -keyout server.key -subj "/CN=*.localtest.me"

now you can start proxy:

./target/debug/proxy -c server.crt -k server.key

and connect to it:

PGSSLROOTCERT=./server.crt psql 'postgres://my-cluster-42.localtest.me:1234?sslmode=verify-full'