Cannot establish connection in threads spawned from process using SOCKS proxy

Issue #222 invalid
Former user created an issue

I am trying to lock down access to my Postgres database by IP whitelist. Since my application is hosted on Heroku, and they do not disclose IP address ranges, I have been attempting to run my application through a SOCKS proxy service, like QuotaGuard Static or Proximo.

Unfortunately, I was unable to establish any database connections using the proxy, and I was able to narrow it down to the point at which the Postgres gem opens a socket connection to the database server.

The connection process works normally when opened from the main thread, even through the SOCKS proxy.

However, establishing a connection from a spawned thread of a process using a SOCKS proxy times out.

I have primarily been using the Dante SOCKS client wrapper, since the PG gem does not appear to natively support proxies:

Here are some examples of code that do and do not work. It should be noted that the DATABASE_URL used below is configured to allow access only from the SOCKS server's IP address. Connections that are properly proxied will go through; connections that are not proxied will not be allowed, since they would originate from an IP address not allowed on the database.

Configure socksify and start an IRB session: $ socksify irb

The following works correctly:

irb> require 'pg'
 => true
irb> puts['DATABASE_URL'])
 => 0 # PQPING_OK

This also works correctly:

irb> require 'pg'
 => true
irb> conn =['DATABASE_URL'])
irb> { puts conn.exec('SELECT 1;').values.first }
 => "1"

This, however, does not work; the connection times out and fails to connect:

irb> require 'pg'
 => true
irb> { puts['DATABASE_URL']) }

I have, unfortunately, expired my knowledge of Unix sockets and proxies, so I need a little help or guidance here. Any thoughts or suggestions?

Comments (4)

  1. Jarrod Carlson

    I didn't know you could create issues anonymously, but I created this issue. Happy to discuss if you have any thoughts, anyone?

  2. Michael Granger repo owner

    I haven't ever used a proxy to connect to PostgreSQL, so I'm not sure how to try to replicate this, but the issue itself looks great. I'm swamped with work right now, but I'll see if I can set something up this weekend.

  3. Michael Granger repo owner

    Closing this; I haven't been able to set up an environment to replicate it, and I suspect since pg doesn't manage the connection itself that it's actually an issue with libpq. Feel free to reopen if you're still experiencing the problem.

  4. Log in to comment