Don’t make databases available on the public internet

David Anderson discusses the prevalent insecurity of PostgreSQL connections over the public internet, highlighting vulnerabilities due to server misconfigurations and insufficient client-side TLS enforcement, which can lead to potential Man-in-the-Middle attacks. To address this, Anderson introduces a solution developed by Tailscale: a TLS-enforcing Postgres proxy named pgproxy, designed to secure connections between Postgres clients and cloud-hosted databases. This proxy, which uses Tailscale's tsnet library, ensures secure, authenticated, and authorized connections, regardless of the client's transport security settings, by connecting securely to the upstream database using TLS with full verification. The proxy simplifies deployment and enhances security by allowing fine-grained access control and auditing through connection logs, leveraging Tailscale's network ACLs, and providing a security upgrade without the need for extensive software rewrites.