On 08/04/2021 03:59, Laurenz Albe wrote:
On Wed, 2021-04-07 at 21:12 +0100, lejeczek wrote:
On 07/04/2021 17:36, Tom Lane wrote:
lejeczek <peljasz@xxxxxxxxxxx> writes:
A novice here thus please go easy on me as I ask this - I
see docs/howtos all over the place be those either talk of
encryption or replication. I failed to find one which blend
these two concepts together - sure it's possible to pgSQL
replication encrypted, right?
Replication connections work exactly like normal sessions for
this purpose. Just make sure you set any required parameters
in the standby's connection string.
regards, tom lane
Thanks. Would you know how '|clientcert=1' fits into the
equation?
With it present in pg_hba.conf pgSQL was not happy saying:
FATAL: connection requires a valid client certificate.
Then include "sslcert" in "primary_conninfo".
You can use all the libpq connection parameters:
https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
Yours,
Laurenz Albe
This below is what 'pg_basebackup' generated on the master
itself, master which already was configured for TLS/certs.
primary_conninfo = 'user=replicator password=''9897''
channel_binding=prefer host=10.1.1.224 port=5432
sslmode=prefer sslcompression=0
ssl_min_protocol_version=TLSv1.2 gssencmode=prefer
krbsrvname=postgres target_session_attrs=any'
And with master's:
hostssl replication replicator 10.1.1.223/32 md5
clientcert=1
standby would not connect, but without 'clientcert=1' it
seems to work.
I guess my question - as any novice's - would be: is
replication really 100% encrypted? How to confirm-test it?
Lastly: is there anything more at 'pg_basebackup' stage user
can do to have 'configs' more ready, more complete for 'full
encryption' when starting with master already configured
with TLS?
I'm on 13.2 version.
many thanks, L.
