Hyperdrive without SSL?
Is there any way to use hyperdrive without SSL?
12 Replies
Unfortunately no, security is a priority and Hyperdrive relies on SSL in order to guarantee a secure connection to your database. Are you also using tunnels?
What Thomas said. You'd probably need to stick session-mode pgbouncer or something in the middle to terminate SSL for you, if you're really stuck. But it's not something we can reasonably disable, I'm afraid.
I was just thinking along the lines of pgbouncer
that's fair enough, I understand why you'd have that restriction
it's just frustrating as everything works beautifully through hyperdrive, but all the existing infrastructure falls over as soon as SSL is enabled, presumably due to some SSL incompatibilty on some old version of windows or something
and I think postgres advertises SSL availability as soon as it's on, there's no way to have certain connections unaware of its availability
was hoping I could use pg_hba rules to keep some connections nossl, but then they just try to connect with ssl and fall over when there's no rule that lets them
I think you can, actually. Should be a server side SSL mode that offers it but doesn't require it?
let me double check that real quick
but I think it's even the offering it that's a problem, as the clients seem to be happy to accept, and then things go wrong
"host" should be "optional ssl"
Well, the other clients would need to connect with sslmode=disable to not use it if offered, yes.
yeah, unfortunately I have no control over those clients, I'm just tiptoeing around a 3rd party's mess
Ahhh. I see. That's a tough position.
but pgbouncer seems like it should be a source of hope
Yeah, I think in that scenario your best bet is a proxy to terminate SSL for you.
PGbouncer's good. Just, we do recommend session-mode as sometimes stacking transaction-mode poolers can give you odd behavior.
I'd have expected this to work too. I'm surprised it didn't.
googling also throws up stunnel as a potential option
had no luck with stunnel (some cryptic ssl error), but pgbouncer worked a treat
Very glad to hear it!