pgsql-http icon indicating copy to clipboard operation
pgsql-http copied to clipboard

Published 20 hours ago verified publisher icon pramsey

Read environment variables for SSL Certificate bundle

Open robe2 opened this issue 2 years ago • 2 comments

To satisfy ogr_fdw, I can register a windows system environment variable:

CURL_CA_BUNDLE = C:\Program Files\PostgreSQL\15\ssl\certs\ca-bundle.crt

So I don't have to set it each time I need to reach a https site.

Sadly, http extension, I have to do this:

SELECT http_set_curlopt('CURLOPT_CAINFO', 'C:\Program Files\PostgreSQL\15\ssl\certs\ca-bundle.crt');
SELECT http_get('https://postgis.net');

Would be nice if it could read environment variables in a similar fashion to GDAL

robe2 avatar Aug 20 '23 00:08 robe2

Hrm. Does that mean I have to read all CURLOPTs from the environment? Should I then also consider reading them from GUCs? (Still cannot remember why I stopped doing that, maybe just the bad smell after all those postgis_raster upgrade issues.)

pramsey avatar Aug 20 '23 03:08 pramsey

If you go with your plan of dynamic GUCS (#89 ) that would work too and be more comprehensive.

The issue we had with postgis_raster is because since the GUCS were well defined in our code, a reload of the lib triggered a reregister of the GUCS and thus an annoying kind of alarming message. I think it only happens though if the lib names are different e.g. I noticed it when upgrading a 3.4 that had postgis-3.4.so for name to a postgis-3.5.so

Can't do below in same session

SELECT postgis_full_version();
SELECT postgis_extensions_upgrade();

But the http lib file name never changes, so I suspect the issue is moot for http extension.

Also if you don't explicitly define the GUCs in the code but you look for them by name, I think that may work.

I'm not sure if there is a downside to just allowing users to define anything they want http.whatever or if there is some rule, like you can't reference them if you don't define them in your code.

I tried with a readonly account and seems to work fine that I can register an arbitrary http.whatever and it sticks so assume it doesn't require super user privileges, but didn't try fumbling with the http code to see if it could actually read a GUC it did not register.

For my selfish reasons, I'd just like to define environment variable the CURLOPT_CAINFO since that is rarely ever known in windows and is a nuisance to have to set each time and since everything is https these days you can't get around it.

robe2 avatar Aug 22 '23 03:08 robe2