Show HN: PGT-Proxy – A PostgreSQL Proxy in 277 Lines of Rust

github.com

10 points by galeaspablo 2 days ago

It's time we talked about something many developers, data analysts, and even web application servers are guilty of: downgrading PostgreSQL connection security. Too often, we see connections dropped from full TLS verification to "any TLS" (i.e., sslmode=require) or, even worse, plain text connections. Why? Because most cloud providers, like AWS or Google Cloud SQL, use non-public Certificate Authorities for PostgreSQL. The result? Unverified TLS connections because no one has time to set up all devices across an organization to trust custom certificate authorities.

And here's the most egregious part: some vendors that need to connect to your database outright recommend downgrading TLS, disabling TLS, or placing private databases in public subnets. I was so fed up of seeing this.

So I wrote and open sourced PGT-Proxy!

== What is PGT-Proxy? ==

PGT-Proxy is an intermediary server that securely bridges TLS-enabled PostgreSQL clients and servers. It acts as a reverse proxy with support for PostgreSQL's unique TLS protocol, which requires bidirectional transmission of special bytes before initiating the TLS handshake. The protocol is why you can't just stick a load balancer in front of a PostgreSQL database and expect it to work.

== Key Features ==

TLS Termination and Initiation: PGT-Proxy handles TLS connections on both the client and server sides, ensuring end-to-end encryption.

Certificate Management: Supports custom certificate authorities, enabling full TLS verification even with non-public CAs.

Binary or Dockerized Deployment: Deploy with a binary or available as a Docker image on Docker Hub, making it easy to integrate into your existing infrastructure.

Small Footprint: PGT-Proxy is built on Rust, with a very lightweight Docker image that is limited to a trimmed OS and a binary file for PGT-Proxy.

== Why I Built PGT-Proxy ==

Our customers needed secure connections from our network to their private PostgreSQL databases, without the hassle of managing custom CAs or setting up complex network configurations. We realized that the lack of straightforward tools enforcing proper TLS connections led many to adopt insecure practices. By creating PGT-Proxy, I aim to make secure, fully verified TLS connections simple and accessible.

== Try It ==

You can see the source code on GitHub, use the public docker image, and let me know what you think. I'm around to answer questions, take feedback, or even show you how to use it (the docs are pretty good, but my email is on my profile if you need me).

https://github.com/ambarltd/pgt-proxy https://hub.docker.com/r/ambarltd/pgt-proxy