I am testing pgbouncer in my test environment and I am running into some security concerns. I was wondering anyone here solved my problem. My setup is that pgbouncer will reside on the appserver and it will bouncer to database accordingly.
Before pgbouncer I have a .conf file to connect to database.
gpgsql-host= testdb-abc.com gpgsql-dbname= testdb gpgsql-user= testuser gpgsql-port= 5432 gpgsql-password=testdbpw After pgbouncer my conf looks like this.
gpgsql-host= localhost gpgsql-dbname= testdbpgbouncer gpgsql-user= testuser gpgsql-port= 6432 gpgsql-password=testdbpw pgbouncer.conf
[databases] testdbpgbouncer = host=testdb-abc.com port=5432 dbname=testdb [pgbouncer] logfile = /var/log/postgresql/pgbouncer.log pidfile = /var/run/postgresql/pgbouncer.pid listen_addr = 127.0.0.1 listen_port = 6432 unix_socket_dir = /var/run/postgresql auth_type = md5 auth_file = /etc/pgbouncer/userlist.txt pool_mode = session server_reset_query = DISCARD ALL max_client_conn = 20 default_pool_size = 20 and in the userlist.txt I have
"testuser" "testdbpw" Here's the concern I have.
In the pgbouncer setup, if either of the password is wrong in test.conf or userlist.txt. The connection to the db will not work. That is very odd because I would've thought one of params will triumph the other, but that's not the case.
I don't like having a clear text ustlist.txt sitting on my system showing all the possible db password. Having the cleartxt pw on the application's conf is bad enough now I have it in two places AND if they are not the same the connection to db will fail.
Note: the connection to db is not an application problem, i'm just testing it with psycopg2 atm.
[link] [comments]