tcproxy 0.1.0

A TCP proxy for PostgreSQL connections with SSH tunnel support and runtime target switching
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

# PostgreSQL Proxy Project Execution Plan

## Project Overview
Build a simple TCP proxy that forwards PostgreSQL connections to different target databases (including SSH-tunneled connections) based on configuration, allowing services to use a single connection string while dynamically switching backends.

## Phase 1: Setup & Basic Implementation (Week 1)

### Day 1-2: Project Setup
- [ ] Choose language (Go or Rust - decision needed)
- [ ] Initialize project structure
- [ ] Set up basic logging framework
- [ ] Create configuration structure (YAML/JSON)
- [ ] Define basic command-line interface

### Day 3-5: Core Proxy Implementation
- [ ] Implement basic TCP listener
- [ ] Create connection forwarding logic
- [ ] Add configuration parsing
- [ ] Test with local PostgreSQL instances
- [ ] Implement graceful shutdown

### Configuration Structure
```yaml
proxy:
  listen_port: 5433
  target:
    host: "postgres1.local"
    port: 5432
    ssh:
      enabled: false
```

## Phase 2: SSH Integration (Week 2)

### Day 1-3: SSH Tunnel Support
- [ ] Add SSH client library
- [ ] Implement SSH tunnel creation
- [ ] Add certificate-based authentication
- [ ] Test with remote PostgreSQL over SSH

### Day 4-5: Connection Management
- [ ] Implement connection pooling to targets
- [ ] Add health checking for target databases
- [ ] Handle SSH connection failures gracefully

### Enhanced Configuration
```yaml
targets:
  production:
    host: "prod-db.example.com"
    port: 5432
    ssh:
      enabled: true
      host: "bastion.example.com"
      user: "dbuser"
      key_file: "/path/to/cert.pem"
  development:
    host: "localhost"
    port: 5432
    ssh:
      enabled: false

active_target: "production"
```

## Phase 3: Dynamic Switching (Week 3)

### Day 1-3: Configuration Hot-Reload
- [ ] Implement configuration file watching
- [ ] Add graceful connection draining
- [ ] Test switching between targets without dropping connections

### Day 4-5: Control Interface
- [ ] Add HTTP API for runtime control
- [ ] Implement health check endpoint
- [ ] Add metrics/status endpoint

### Control API
```
GET  /health
POST /switch-target
GET  /status
GET  /metrics
```

## Phase 4: Production Readiness (Week 4)

### Day 1-2: Error Handling & Logging
- [ ] Comprehensive error handling
- [ ] Structured logging with levels
- [ ] Connection metrics and monitoring
- [ ] Proper resource cleanup

### Day 3-4: Testing & Documentation
- [ ] Unit tests for core functions
- [ ] Integration tests with real PostgreSQL
- [ ] Docker container setup
- [ ] README with usage examples

### Day 5: Deployment Preparation
- [ ] Systemd service file
- [ ] Configuration templates
- [ ] Performance testing
- [ ] Security review

## Technical Milestones

### Milestone 1: Basic Proxy (End of Week 1)
- Services can connect through proxy to single target
- Configuration-based target selection
- Basic logging and error handling

### Milestone 2: SSH Support (End of Week 2)
- SSH tunnel connections working
- Certificate-based authentication
- Connection health monitoring

### Milestone 3: Dynamic Switching (End of Week 3)  
- Runtime target switching
- Graceful connection handling
- HTTP control interface

### Milestone 4: Production Ready (End of Week 4)
- Comprehensive testing
- Documentation complete
- Deployment artifacts ready

## Key Decisions Needed

### Immediate (Day 1)
- [ ] Language choice: Go vs Rust
- [ ] Configuration format: YAML vs JSON vs TOML

### Week 1
- [ ] Logging framework choice
- [ ] Configuration hot-reload approach
- [ ] Connection pooling strategy

### Week 2
- [ ] SSH library selection
- [ ] Health check implementation
- [ ] Error retry policies

## Risk Mitigation

### Technical Risks
- **SSH connection instability**: Implement connection retry with exponential backoff
- **PostgreSQL protocol complexity**: Start with simple TCP forwarding, add protocol awareness later if needed
- **Connection state during switching**: Implement graceful draining with timeout

### Timeline Risks
- **Scope creep**: Keep initial version simple, add features incrementally
- **SSH debugging**: Plan extra time for SSH certificate/networking issues
- **Testing complexity**: Use Docker for consistent test environments

## Success Criteria

### MVP (End of Week 2)
- All services use single connection string pointing to proxy
- Proxy forwards to configured PostgreSQL target
- SSH tunnel connections work with certificates
- Basic configuration switching works

### Production Ready (End of Week 4)
- Zero-downtime target switching
- Comprehensive error handling and logging
- Production deployment artifacts
- Documentation for operations team

## Next Steps
1. **Choose language** (Go vs Rust decision)
2. **Set up development environment** 
3. **Create basic project structure**
4. **Start with simple TCP proxy implementation**

**Total estimated effort**: 3-4 weeks for production-ready solution.