> On Jun 12, 2024, at 2:17 PM, Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > > (1) It'd add overhead without adding any security. Data going through > a UNIX socket will only pass through the local kernel, and if that's > compromised then it's game over anyway. That's true. My preference would be to have an unencrypted connection via UNIX socket from the application to haproxy, then an encrypted connection using SSL certificate authentication from haproxy to the database. I spent some time attempting this. But that doesn't seem to be possible since haproxy doesn't understand the postgres protocol. -- Regards, - Casey
