Set ALPN to pg if client sends Postgres Magic Bytes

[coolaj86]

If the client sends 00 00 00 08 04 d2 16 2f ("SSLRequest" - similar to StartTLS, but more ancient), then set ALPN to pg and send back N to force a plain connection through the tunnel, or S to tunnel TLS within TLS.

If the client sends 00 00 xx xx 00 03 00 00 (message length, v3), then it's a plain postgres connection. The whole first 4 bytes may be the Little-Endian encoded length (supports > 4k query params), but for the purpose of auto-detection we can assume the first two (or even 3) will be 0.

See also:

• How to match on StartTLS for proxying Postgres? mholt/caddy-l4#187

Postgres Magic Bytes

nc -l 54321 | hexyl

PGCONNECT_TIMEOUT=1 psql 'postgres://u:p@localhost:54321/d?sslmode=verify-full'

┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 00 00 00 08 04 d2 16 2f ┊                         │⋄⋄⋄••×•/┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘

PGCONNECT_TIMEOUT=1 psql 'postgres://u:p@localhost:54321/d?sslmode=disable'

┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 00 00 00 46 00 03 00 00 ┊ 75 73 65 72 00 75 00 64 │⋄⋄⋄F⋄•⋄⋄┊user⋄u⋄d│
│00000010│ 61 74 61 62 61 73 65 00 ┊ 64 00 61 70 70 6c 69 63 │atabase⋄┊d⋄applic│
│00000020│ 61 74 69 6f 6e 5f 6e 61 ┊ 6d 65 00 70 73 71 6c 00 │ation_na┊me⋄psql⋄│
│00000030│ 63 6c 69 65 6e 74 5f 65 ┊ 6e 63 6f 64 69 6e 67 00 │client_e┊ncoding⋄│
│00000040│ 55 54 46 38 00 00       ┊                         │UTF8⋄⋄  ┊        │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘