mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-08 05:52:55 +00:00
debd134b15
This is a hacky implementation of WebSocket server, embedded into our postgres proxy. The server is used to allow https://github.com/neondatabase/serverless to connect to our postgres from browser and serverless javascript functions. How it will work (general schema): - browser opens a websocket connection to `wss://ep-abc-xyz-123.xx-central-1.aws.neon.tech/` - proxy accepts this connection and terminates TLS (https) - inside encrypted tunnel (HTTPS), browser initiates plain (non-encrypted) postgres connection - proxy performs auth as in usual plain pg connection and forwards connection to the compute Related issue: #3225
Proxy
Proxy binary accepts --auth-backend CLI option, which determines auth scheme and cluster routing method. Following backends are currently implemented:
- console new SCRAM-based console API; uses SNI info to select the destination project (endpoint soon)
- postgres uses postgres to select auth secrets of existing roles. Useful for local testing
- link sends login link for all usernames
Using SNI-based routing on localhost
Now proxy determines project name from the subdomain, request to the round-rice-566201.somedomain.tld will be routed to the project named round-rice-566201. Unfortunately, /etc/hosts does not support domain wildcards, so I usually use *.localtest.me which resolves to 127.0.0.1. Now we can create self-signed certificate and play with proxy:
openssl req -new -x509 -days 365 -nodes -text -out server.crt -keyout server.key -subj "/CN=*.localtest.me"
start proxy
./target/debug/proxy -c server.crt -k server.key
and connect to it
PGSSLROOTCERT=./server.crt psql 'postgres://my-cluster-42.localtest.me:1234?sslmode=verify-full'