mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-07 05:22:56 +00:00
96e78394f5
The project/endpoint should be set in the original (non-as_ref'd) creds, because we call `wake_compute` not only in `try_password_hack` but also later in the connection retry logic. This PR also removes the obsolete `as_ref` method and makes the code simpler because we no longer need this complication after a recent refactoring. Further action points: finally introduce typestate in creds (planned).
Proxy
Proxy binary accepts --auth-backend CLI option, which determines auth scheme and cluster routing method. Following backends are currently implemented:
- console new SCRAM-based console API; uses SNI info to select the destination project (endpoint soon)
- postgres uses postgres to select auth secrets of existing roles. Useful for local testing
- link sends login link for all usernames
Using SNI-based routing on localhost
Now proxy determines project name from the subdomain, request to the round-rice-566201.somedomain.tld will be routed to the project named round-rice-566201. Unfortunately, /etc/hosts does not support domain wildcards, so I usually use *.localtest.me which resolves to 127.0.0.1. Now we can create self-signed certificate and play with proxy:
openssl req -new -x509 -days 365 -nodes -text -out server.crt -keyout server.key -subj "/CN=*.localtest.me"
start proxy
./target/debug/proxy -c server.crt -k server.key
and connect to it
PGSSLROOTCERT=./server.crt psql 'postgres://my-cluster-42.localtest.me:1234?sslmode=verify-full'