postgres envoy ssl termination - ghdrako/doc_snipets GitHub Wiki

Envoy

Evvoy postgres filters features:

- https://pgconf.ru/en/talk/1589167
Decode non SSL traffic, ignore SSL traffic
Decode session information
Capture transaction information, including commits and rollbacks
Expose counters for different types of statements (INSERTs, SELECTs, DELETEs, UPDATEs, etc.)
Count frontend, backend, and unknown messages
Identify errors and backend responses

Envoy as systemd service

quick sample based on upstream hot-restarter wrapper will be like:

[Unit]
Description=Envoy Proxy
Requires=network-online.target
After=network-online.target

[Service]
Type=simple
# ExecStart=/usr/local/bin/envoy-hot-restarter.py /usr/local/bin/start-envoy.sh
ExecStart=python3 /usr/local/bin/envoy-hot-restarter.py /usr/local/bin/start-envoy.sh
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -TERM $MAINPID
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

Where envoy-hot-restarter.py and start-envoy.sh can found from this doc: https://www.envoyproxy.io/docs/envoy/latest/operations/hot_restarter

We're trying to simplify this a bit with the package and release with right wrappers.

Create Linux Service

Create the file named envoy.serviceunder the path /etc/systemd/system

[Unit]
Description=Envoy[Service]
ExecStart=/usr/bin/envoy -c /etc/envoy/envoy.yaml
Restart=always
RestartSec=5
KillMode=mixed
SyslogIdentifier=envoy
LimitNOFILE=640000[Install]
WantedBy=multi-user.target

envoy.yaml file is an entry point for Envoy. As seen on ExecStart command above. Envoy never tracking the changes on the file after it started.

Postgres SSL Termintion

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 5432  # Frontend port
    filter_chains:
    - filters:
      - name: envoy.filters.network.postgres_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy
          stat_prefix: imperva
          terminate_ssl: true
          upstream_ssl: REQUIRE
      - name: envoy.filters.network.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          stat_prefix: tcp
          cluster: backend_cluster
      transport_socket:
        name: envoy.transport_sockets.starttls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig
          tls_socket_config:
            common_tls_context:
              tls_certificates:
                certificate_chain:
                  filename: "/etc/envoy/certs/cert.pem"  # Path to SSL certificate
                private_key:
                  filename: "/etc/envoy/certs/key.pem"  # Path to SSL private key
  clusters:
  - name: backend_cluster
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: backend_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: psql-demo-db.com
                port_value: 5432
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.UpstreamStartTlsConfig
        tls_socket_config: {}

https://github.com/envoyproxy/envoy/issues/10942

admin:
  access_log_path: /dev/null
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8000

static_resources:
  clusters:
  - name: postgres_cluster
    connect_timeout: 1s
    type: STRICT_DNS
    load_assignment:
      cluster_name: postgres_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 0.0.0.0
                port_value: 5432

  listeners:
  - name: listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 54322
    filter_chains:
    - filters:
      - name: envoy.filters.network.postgres_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy
          stat_prefix: egress_postgres
          enable_sql_parsing: false
          terminate_ssl: true
      - name: envoy.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          stat_prefix: tcp_postgres
          cluster: postgres_cluster
          idle_timeout: 10s
      transport_socket:
        name: "starttls"
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig
          tls_socket_config:
            common_tls_context:
              tls_certificates:
                certificate_chain:
                  filename: "/d/fabrizio/ongres/etc/.creds/ssl/server.crt"
                private_key:
                  filename: "/d/fabrizio/ongres/etc/.creds/ssl/server.key"