PostgreSQL 的 NGINX TLS 终止 [英] NGINX TLS termination for PostgreSQL

问题描述

我一直在尝试使用 NGINX 作为 PostgreSQL 数据库的 TLS 终结器，但没有成功.

当我尝试连接到数据库时，出现以下错误:

服务器意外关闭连接这可能意味着服务器在处理请求之前或处理请求时异常终止.

当我删除 listen 中的 ssl 选项时，我可以毫无错误地连接.我试过使用相同的 NGINX 设置运行另一个服务(Eclipse Mosquitto)，启用 TLS，它工作正常.

我使用 Postico 作为数据库工具.

这是我正在使用的 NGINX 设置.

# nginx.conf溪流 {服务器 {听 20000 ssl；# 无法与postgre 连接，但与蚊子连接# 听 20000;# 可以连接postgre和mosquittoproxy_pass 192.168.1.123:30000;包括/home/custom/ssl_conf.conf；}}# ssl_conf.confssl_certificate/etc/nginx/fullchain.pem;ssl_certificate_key/etc/nginx/privkey.pem;ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';ssl_dhparam/etc/nginx/ssl/dhparam.pem;ssl_protocols TLSv1.2；ssl_prefer_server_ciphers 开启；

解决方案

简而言之:这是不可能的，因为 PostgreSQL 在 SSL 握手之前有自己的握手.

为了避免这种情况，您可以简单地将 PostgreSQL 设置为在其级别使用 SSL，并使用 Nginx 的 TCP 流作为传递(通信是端到端加密的).

来源:https://www.postgresql.org/message-id/d05341b9-033f-d5fe-966e-889f5f9218e5%40proxel.se

<块引用>

可悲的是，这证实了我的担心.将 SNI 添加到 PostgreSQL 协议不会帮助解决您的用例，因为 PostgreSQL 协议有它自己的握手发生在 SSL 握手之前，因此会话看起来不像 SSL 到 HA 代理.

<块引用>

就像 HA 代理不支持 IMAP 的 STARTTLS[1] 我不认为它将永远支持 PostgreSQL 协议的 SSL，无论 SNI 与否.

<块引用>

为了解决您的用例，我建议使用类似 stunnel 的东西，它支持 SNI，将未加密的 PostgreSQL 协议封装在 SSL 中.

在 Nginx 的 TCP 流级别设置 SSL 会触发以下错误(这里也报告了:https://www.postgresql.org/message-id/flat/15688-55463748a04474a5%40postgresql.org):

• 尝试连接 psql 时，您会得到:

psql: 错误:服务器意外关闭了连接这可能意味着服务器异常终止在处理请求之前或期间.

• 查看 Nginx 错误日志时，您会看到:

2021/02/01 19:18:01 [info] 6175#6175: *3 客户端 127.0.0.1:57496 连接到 127.0.0.1:54332021/02/01 19:18:01 [信息] 6175#6175:*3 SSL_do_handshake() 失败(SSL:错误:1408F10B:SSL 例程:ssl3_get_record:错误的版本号)而 SSL 握手，客户端:127.0.0.1.1:127.0.0.1:5433

I’ve been trying to use NGINX as a TLS terminator for my PostgreSQL database but without success.

When I try to connect to the database I get the following error:

server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request.

When I remove the ssl option in listen I can connect without any errors. I’ve tried running another service(Eclipse Mosquitto) with the same NGINX settings, TLS enabled, and it works fine.

I’m using Postico as DB tool.

Here are the NGINX settings I'm using.

# nginx.conf

stream {
    server {
          listen 20000 ssl; # Can’t connect with postgre but with mosquito
          # listen 20000; # Can connect with postgre and mosquitto
          proxy_pass 192.168.1.123:30000;
          include /home/custom/ssl_conf.conf;
    }
}

# ssl_conf.conf

ssl_certificate           /etc/nginx/fullchain.pem;
ssl_certificate_key       /etc/nginx/privkey.pem;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

解决方案

In short: it's not possible because PostgreSQL has its own handshake that precedes the SSL handshake.

To avoid this you can simply set PostgreSQL to use SSL at its level, and use Nginx's TCP stream as pass-through (the communication is encrypted end-to-end).

Source: https://www.postgresql.org/message-id/d05341b9-033f-d5fe-966e-889f5f9218e5%40proxel.se

Sadly that confirms what I feared. Adding SNI to the PostgreSQL protocol wont help with solving your use case because the PostgreSQL protocol has its own handshake which happens before the SSL handshake so the session will not look like SSL to HA Proxy.

Just like HA Proxy does not support STARTTLS for IMAP[1] I do not think that it will ever support SSL for the PostgreSQL protocol, SNI or not.

To solve your use case I recommend using something like stunnel, which does support SNI, to wrap the unencrypted PostgreSQL protocol in SSL.

Setting SSL at Nginx's TCP stream level will trigger the following errors (also reported here: https://www.postgresql.org/message-id/flat/15688-55463748a04474a5%40postgresql.org):

• when trying to connect with psql you get:

psql: error: server closed the connection unexpectedly
    This probably means the server terminated abnormally
    before or while processing the request.

• when looking at the Nginx error log you see:

2021/02/01 19:18:01 [info] 6175#6175: *3 client 127.0.0.1:57496 connected to 127.0.0.1:5433
2021/02/01 19:18:01 [info] 6175#6175: *3 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking, client: 127.0.0.1, server: 127.0.0.1:5433

这篇关于PostgreSQL 的 NGINX TLS 终止的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！