Postgres SSL Termination at AWS ELB

Question

Is it possible to terminate SSL at an AWS ELB to front a Postgres Server so as to make the following command succeed?

PGSSLMODE=verify-full \
PGSSLROOTCERT=/path/to/go-daddy-root-ca.pem \
PGCONNECT_TIMEOUT=5 \
psql -h my-postgres.example.com -p 5432 -U test_username test-database -c 'select 1';

I'm able to use TCP protocol at the load balancer, and TCP at the instance protocol if I set my ssl certificate and key on the Postgres service w/ the following arguments:

-c
ssl=on
-c
ssl_cert_file=/var/lib/postgresql/my-postgres.example.com.crt
-c
ssl_key_file=/var/lib/postgresql/my-postgres.example.com.key

However, I would like to handle the SSL at the Load Balancer level if possible, so as to not pass certs and keys into the instance running the postgres service. I've tried the following ELB configurations:

LB Proto, Instance Proto, Postres SSL, success/fail
TCP, TCP, on, success
SSL, TCP, on, failure
TCP, SSL, on, failure
SSL, SSL, on, failure
SSL, TCP, off, failure

The failure message is the following:

psql: error: could not connect to server: server closed the connection unexpectedly
    This probably means the server terminated abnormally
    before or while processing the request.

Maybe an NLB would work, of perhaps terminating SSL end-to-end at the Postgres Service level is the only way for a verify-full to succeed?

If it helps for an alternative approach, postgres is running in an EKS cluster.

Thank you for any info you can provide!

Answer 1

We are using NLB in front of the RDS postgres db. Unfortunately, it just "proxies" the requests w/out SSL termination there - the NLB is configured on TCP port 5432. Have you looked at the relatively new AWS RDS proxy - according to the docs it should be able to do the SSL termination, what I'm not sure about is if you can use it without RDS. The other way to go is of course to setup this proxy on your own, with all advantages and disadvantages of this solution.