Open webvictim opened 1 year ago
In multiplexing mode, tsh db config
does work, as long there is nothing in between tsh
and Proxy
, as Proxy can detect Postgres protocol by peeking the package headers:
Different story when there is something sits in between. The middleman must understand Postgres protocol to extract TLS information.
Currently, it's mandatory to use
tsh db connect
ortsh proxy db
to connect to Postgres databases behind a Teleport cluster which has TLS multiplexing enabled. This is a worse experience for end users over just being able to construct their own Postgres configs. It also means that the output oftsh db config
is incorrect when used with Teleport Cloud clusters.Services like Neon are successfully using SNI extensions to target different Postgres databases behind a multiplexed endpoint.
There are more details on the exact TLS SNI implementation details and usage here: https://neon.tech/docs/connect/connection-errors#the-endpoint-id-is-not-specified
Teleport could implement this to make it possible to connect directly to the Postgres listener and be routed to the correct database without the need for
tsh db connect
ortsh proxy db
. This benefits any Teleport user using TLS multiplexing (for example, all Teleport Cloud customers) and gives them an easier end-user experience which is more consistent with a self-hosted cluster.