I have to preface this by saying hooking up layer4 to terminate TLS for database isn’t something I’ve dealt with personally before. I’ve just now experimented with Postgres for the same and researched a bit on the subject. Here are the findings:
-
MySQL/MariaDB: @emilylange has already stated layer4 does not support STARTTLS
-
PostgreSQL: It has its own handshake before the exchange of TLS bytes. See:
- ssl - NGINX TLS termination for PostgreSQL - Stack Overflow
Sadly that confirms what I feared. Adding SNI to the PostgreSQL protocol wont help with solving your use case because the PostgreSQL protocol has its own handshake which happens before the SSL handshake so the session will not look like SSL to HA Proxy.
- PostgreSQL: Documentation: 16: 55.2. Message Flow
To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message rather than a StartupMessage. The server then responds with a single byte containing S or N, indicating that it is willing or unwilling to perform SSL, respectively. The frontend might close the connection at this point if it is dissatisfied with the response. To continue after S, perform an SSL startup handshake (not described here, part of the SSL specification) with the server.
- ssl - NGINX TLS termination for PostgreSQL - Stack Overflow
-
MSSQL: I couldn’t find hard evidence like the others, but I found this comment by F5 (link: Re: SSL offloading issue with MSSQL - DevCentral):
SQL traffic uses the TDS protocol. WIth TDS/TDS7, there is a PRELOGIN message that is sent by the client, prior to the beginning of the SSL/TLS handshake. The client-ssl profile is not expecting this, and resets the connections as non-SSL/TLS traffic.
It seems like any TLS-terminating proxy must be database-aware to handle the pre-handshake dance. For now, and I have not verified this personally, you can grab the certificates from Caddy storage and configure the database server to use them. You’ll need a way to update the certs when renewed.
If you ever find a way or another workaround, please share! I’d love to know.