postgres-ha icon indicating copy to clipboard operation
postgres-ha copied to clipboard
verified publisher icon fly-apps

Add TLS support

Open davissp14 opened this issue 4 years ago • 3 comments

Neither the Fly proxy nor HAProxy understands pgsql, which means we are not able to handle TLS termination in the same way we do for other apps. We need to decide whether to use something like Stunnel to handle termination or work to inject certificates as secrets and just have Postgres handle it.

davissp14 avatar Oct 15 '21 20:10 davissp14

If it's possible, I'd prefer to just show people how to setup a pgbouncer that does TLS termination and points at their postgres cluster. It makes a lot of sense to isolate public ports to a special pgbouncer vm!

We can also just not do this for quite some time.

mrkurt avatar Oct 15 '21 21:10 mrkurt

Yeah, I think that could work. I think the big thing would be to ensure pgbouncer runs within the same regions as their Postgres app in order to accommodate reads.

davissp14 avatar Oct 15 '21 22:10 davissp14

Is this a duplicate of #4 ?

tv42 avatar May 26 '22 22:05 tv42