PostgreSQL

This guide demonstrates a basic Fudo Enterprise configuration for monitoring and controlling PostgreSQL database access through a secure proxy connection.

Note

PostgreSQL connections use native client support only. The connection command is available through the User Access Gateway portal after configuration.

Prerequisites

Before starting this configuration:

  • System must be initialized (see System initiation)

  • PostgreSQL server must be accessible from Fudo Enterprise

  • PostgreSQL client (psql) must be installed on your workstation


Architecture Overview

The following diagram illustrates the PostgreSQL connection flow:

../../_images/data_modeling.png

Connection Flow:

  1. User authenticates to User Access Gateway (https://10.31.134.220)

  2. User receives connection command with One-Time Password (OTP)

  3. Native psql client connects through Fudo Enterprise proxy

  4. Fudo Enterprise authenticates and forwards connection to PostgreSQL server

Configuration Steps

Step 1: Create PostgreSQL Server

Define the target PostgreSQL server in Fudo Enterprise.

  1. Navigate to Session Management > Servers

  2. Click + Add server

  1. Configure the server with following settings:

    General

    Name: PostgreSQL_Server
    Description: Production PostgreSQL Database
    Blocked: ☐ Unchecked

    Settings Tab: Protocol

    Protocol: PostgreSQL
    TLS enabled: ✓ Checked (recommended for security)
    Legacy crypto: ☐ Unchecked
    Use SSH tunnel: ☐ Unchecked

    Settings Tab: Bind Address

    Bind address: Any

    Settings Tab: Destination

    Type: IPv4
    Address: 10.0.100.7
    Mask: 32
    Port: 5432

    Settings Tab: Server Verification

    Method: Server certificate or None

  1. Click Save and Close.

Step 2: Create User

Create a user who will access the PostgreSQL server.


  1. Select User Management > Users.

  2. Click Add User.

  1. Provide essential user information:

    General

    Name: john_smith
    Blocked: ☐ Unchecked
    Account validity: Indefinite

    Settings Tab

    Authentication failures: ☐ Unchecked
    Enforce password complexity: ☐ Unchecked
    Add authentication method: Static password
    Password john

    User Data Tab

    Full name: John Smith
    Email: john@smith.com

    Roles Tab

    Assign Role: e.g., admin

  1. Click Save and Close.

Step 3: Create Listener

Configure the proxy endpoint for PostgreSQL connections.

  1. Navigate to Session Management > Listeners

  2. Click Add

  1. Configure the listener:

    General Settings

    Name: PostgreSQL_Listener
    Protocol: PostgreSQL
    Blocked: ☐ Unchecked

    Connection Settings

    Mode: proxy
    Local address: 10.31.134.220
    Port: 5432
    TLS enabled: ✓ Checked (required for PostgreSQL)
    Legacy crypto: ☐ Unchecked

    Access Control

    Granted users: Leave empty (configured via safe)

  1. Click Save and Close.

Step 4: Create Account

Define database credentials for authentication.

  1. Navigate to Session Management > Accounts

  2. Click Add

  1. Configure the account:

    General

    Name: PostgreSQL_Account
    Session recording: all
    Notes: PostgreSQL admin account

    Settings Tab: Type

    Account type: REGULAR

    Settings Tab: Target

    Server: PostgreSQL_Server (select from dropdown)

    Settings Tab: Credentials

    Replace secret with: Password
    Secret: Your PostgreSQL password
    Login: Your PostgreSQL login

    Password Changers Tab: General

    Password change policy: Static, without restrictions

  1. Click Save and Close.

Step 5: Create Safe Configure access control and bind all components together.

  1. Navigate to Session Management > Safes

  2. Click Add Safe

  1. Configure the safe:

    General

    Name: PostgreSQL_Safe
    Blocked: ☐ Unchecked

    General Tab: Connection

    Login reason: ✓ Checked (optional, for audit trail)

    General Tab: Access

    OTP in Access Gateway: ✓ Checked
    Web Client: ☐ Unchecked

  1. Click Save and Close.

  1. Add users to the safe:

    1. Select Users tab

    2. Click Manage Users

    3. Find and add your user (e.g., John)

    4. Click Save

  2. Add account to the safe:

    1. Select Accounts tab

    2. Click Manage Accounts

    3. Find and add PostgreSQL_Account

    4. Click Save

  3. Assign listener to the account:

    1. Click in the Listeners column for PostgreSQL_Account

    2. Find and add PostgreSQL_Listener

    3. Click Save

  4. Click Save and Close


Establishing PostgreSQL Connection

Step 1: Access User Portal

Open your browser and navigate to the User Access Gateway address. Example:

https://10.31.134.220

Login with the credentials used while creating User:

Login: john_smith
Password: john

Step 2: Get Connection Command

  1. Locate PostgreSQL_Account in the resources list

  2. Click on the Native client dropdown arrow

  3. You’ll see:

    • Fingerprint: Server identification hash

    • One Time Password: Valid for 5 minutes

    • Connection command: Ready-to-use psql command

Step 3: Connect Using psql

Copy the connection command and replace <database_name> with your target database:

# Template format
psql postgres://[OTP]:empty@10.31.134.220:5432/<database_name>

# Example: Connect to custom database
psql postgres://85156504qLOOtF4bWesSntHHvQoTIjED:empty@10.31.134.220:5432/myapp_db

Note

Important Connection Details:

  • The OTP (One-Time Password) expires after 5 minutes

  • Password field is always empty - authentication uses the OTP token

  • You MUST specify the database name at the end of the connection string


Related topics: