search

pramsey / pgsql-http

HTTP client for PostgreSQL, retrieve a web page from inside the database.
MIT License
1.3k stars 116 forks source link

Read environment variables for SSL Certificate bundle #167

Open robe2 opened 1 year ago

robe2 commented 1 year ago

To satisfy ogr_fdw, I can register a windows system environment variable:

CURL_CA_BUNDLE = C:\Program Files\PostgreSQL\15\ssl\certs\ca-bundle.crt

So I don't have to set it each time I need to reach a https site.

Sadly, http extension, I have to do this:

SELECT http_set_curlopt('CURLOPT_CAINFO', 'C:\Program Files\PostgreSQL\15\ssl\certs\ca-bundle.crt');
SELECT http_get('https://postgis.net');

Would be nice if it could read environment variables in a similar fashion to GDAL

pramsey commented 1 year ago

Hrm. Does that mean I have to read all CURLOPTs from the environment? Should I then also consider reading them from GUCs? (Still cannot remember why I stopped doing that, maybe just the bad smell after all those postgis_raster upgrade issues.)

robe2 commented 1 year ago

If you go with your plan of dynamic GUCS (#89 ) that would work too and be more comprehensive.

The issue we had with postgis_raster is because since the GUCS were well defined in our code, a reload of the lib triggered a reregister of the GUCS and thus an annoying kind of alarming message. I think it only happens though if the lib names are different e.g. I noticed it when upgrading a 3.4 that had postgis-3.4.so for name to a postgis-3.5.so

Can't do below in same session

SELECT postgis_full_version();
SELECT postgis_extensions_upgrade();

But the http lib file name never changes, so I suspect the issue is moot for http extension.

Also if you don't explicitly define the GUCs in the code but you look for them by name, I think that may work.

I'm not sure if there is a downside to just allowing users to define anything they want http.whatever or if there is some rule, like you can't reference them if you don't define them in your code.

I tried with a readonly account and seems to work fine that I can register an arbitrary http.whatever and it sticks so assume it doesn't require super user privileges, but didn't try fumbling with the http code to see if it could actually read a GUC it did not register.

For my selfish reasons, I'd just like to define environment variable the CURLOPT_CAINFO since that is rarely ever known in windows and is a nuisance to have to set each time and since everything is https these days you can't get around it.