pgSSL is a proxy for PostgreSQL that wraps plain TCP connections (sslmode=disable) into SSL and provides (optional) client certificate to the backend PostgreSQL server. This way it allows SSL encryption and certificate-based authentication for plain-text PostgreSQL clients.
PostgreSQL listens to both plain and SSL connections on a single port, therefore it has its own handshake that precedes the usual SSL/TLS handshake.
For this reason it's not possible to wrap plain connections into SSL with usual proxies like nginx, envoy, istio, HAproxy.
Though pgbouncer can be used for such task, the purpose of pgbouncer is to load-balance and pool the connections, so for a simple SSL-wrap it seems to be overkill.
pgSSL wraps connections with regard to PostgreSQL-specific SSL handshake.
sequenceDiagram
client->>pgSSL: TCP connect (plain)
pgSSL-->>PostgreSQL: SSLRequest
PostgreSQL-->>pgSSL: S(OK)
pgSSL-->>PostgreSQL: SSL Handshake
PostgreSQL-->>pgSSL: SSL Handshake complete
loop
client->>pgSSL: plain query
activate pgSSL
pgSSL-->>PostgreSQL: encrypted query
deactivate pgSSL
PostgreSQL-->>pgSSL: encrypted result
activate pgSSL
pgSSL->>client: plain result
deactivate pgSSL
end
go install github.com/glebarez/pgssl
pgssl -p postgres-server:5432 -l :15432 -k client.key -c client.crtpgssl -p postgres-server:5432 -l :15432PGSSL_PASSWORD=changeme pgssl -p postgres-server:5432 -l :15432