Hi,

Our setup has stunnel and HAproxy running on same server. Our clients (postgresql clients) connect to port where stunnel is listening. Clients are sending encrypted data (setting sslmode=require in pgsql connection options). Stunnel listens to encrypted traffic and writes unencrypted traffic to another port on same host where HAproxy is listening. Then, HAProxy passes this request to one of many postgresql servers. These servers are custom written to implement postgresql protocol. We want IP of the postgresql clients to be captured at the server. HAProxy documentation says that proxy protocol is only way to pass original client IP for non-http traffic. Can you please suggest how we can configure Stunnel to listen to encrypted postgresql client traffic (pgsql protocol) and write unencrypted data to HAProxy instance in proxy protocol.

Following are our current configurations for stunnel and HAProxy:

Stunnel:

foreground = yes

debug = 5

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

socket = l:SO_KEEPALIVE=1

socket = l:TCP_KEEPIDLE=120

socket = l:TCP_KEEPINTVL=30

socket = l:TCP_KEEPCNT=3

ciphers = HIGH:MEDIUM

 

[postgres-serverB]

protocol = pgsql

accept = 0.0.0.0:3255

connect = localhost:5433

retry = yes

cert = /etc/stunnel/stunnel.crt

delay = no

sslVersion = TLSv1.2

 

HAProxy:

listen pgsql

  mode tcp

  option tcplog

  bind *:5433

  balance leastconn

  timeout server 1d

  timeout client 1d

  option tcp-check

  option clitcpka

  server qspgsqlsvr1 host.docker.internal:5432 check

 

Thanks,

Ashok