Postgres proxy (proto)

This extension has the qualified name


This extension is only available in contrib images.


This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.


This extension extends and can be used with the following extension category:


This API feature is currently work-in-progress. API features marked as work-in-progress are not considered stable, are not covered by the threat model, are not supported by the security team, and are subject to breaking changes. Do not use this feature without understanding each of the previous points.

Postgres Proxy configuration overview.

[ proto]

  "stat_prefix": ...,
  "enable_sql_parsing": {...},
  "terminate_ssl": ...,
  "upstream_ssl": ...

(string, REQUIRED) The human readable prefix to use when emitting statistics.


(BoolValue) Controls whether SQL statements received in Frontend Query messages are parsed. Parsing is required to produce Postgres proxy filter metadata. Defaults to true.


(bool) Controls whether to terminate SSL session initiated by a client. If the value is false, the Postgres proxy filter will not try to terminate SSL session, but will pass all the packets to the upstream server. If the value is true, the Postgres proxy filter will try to terminate SSL session. In order to do that, the filter chain must use starttls transport socket. If the filter does not manage to terminate the SSL session, it will close the connection from the client. Refer to official documentation for details SSL Session Encryption Message Flow.


( Controls whether to establish upstream SSL connection to the server. Envoy will try to establish upstream SSL connection to the server only when Postgres filter is able to read Postgres payload in clear-text. It happens when a client established a clear-text connection to Envoy or when a client established SSL connection to Envoy and Postgres filter is configured to terminate SSL. Defaults to SSL_DISABLE.


[ proto]

Upstream SSL operational modes.


(DEFAULT) ⁣Do not encrypt upstream connection to the server.


⁣Establish upstream SSL connection to the server. If the server does not accept the request for SSL connection, the session is terminated.