Nowadays, PostgreSQL is often used behind proxies. Some are PostgreSQL
protocol aware (Pgpool, PgBouncer), some are pure TCP (HAProxy). From
the database instance point of view, all clients come from the proxy.
There are two major problems with this topology:
* It neutralizes the host based authentication. Every client shares
the same source. Either we allow this source or not but we cannot allow
clients on a more fine-grained basis, or not by the IP address.
* It makes debugging harder. If we have a DDL or a slow query logged, we
cannot use the source to identify who is responsible.
On one hand, we can move the authentication and logging mechanisms to
PostgreSQL based proxies but they will never be as complete as
PostgreSQL itself. And they don't have features like HTTP health checks
to redirect trafic to nodes (health, role, whatever behind the URL). On
the other hand, those features are not implemented at all because they
don't know the PostgreSQL protocol, they simply forward requests.
In the HTTP reverse proxies world, there's a "dirty hack" to identify
the source IP address: add an HTTP header "X-Forwared-For" to the
request. It's the destination duty to do whatever they want with this
information. With this feature in mind, someone from HAProxy has
implemented this mechanism at the protocol level. It's called the PROXY
With this piece of logic at the beginning of the protocol, we could
implement a totally transparent proxy and benefit from the great
features of PostgreSQL regarding clients. Note that MariaDB support the
PROXY protocol in MaxScale (proxy) and MariaDB Server in recent
My question is, what do you think of this feature? Is it worth to spend
time implementing it in PostgreSQL or not?
> * Julien Riou ([hidden email]) wrote:
> > My question is, what do you think of this feature? Is it worth to spend
> > time implementing it in PostgreSQL or not?
> This isn't really the right list for this discussion, this list is for
> discussing PGAdmin (the PG administration client) not for PG itself
> (that list would be pgsql-hackers).
> However, pgbouncer already provides this feature, so I'd say it's a good
> feature and one that you want from your connection pooler.
Good catch! I'm sorry. I will forward the conversation directly to the
pgsql-hackers mailing list for further messages.