Skip to content


dbproxy is a database proxy running in front of the PostgreSQL database. It receives validated requests from the broker, translates them to SQL, hits the database and returns the result.

In a production environment, dbproxy should run on a dedicated machine which is ideally the same machine the PostgreSQL server is running on. We will provide more on the production configuration soon.

For now, as basebox is not production ready yet, dbproxy is run in a terminal window.

Command Line Parameters

To see dbproxy's command line arguments, call it with the --help switch:

 ./dbproxy --help
This is dbproxy, basebox' secure database proxy server.

Usage: dbproxy [OPTIONS]

  -c, --config-file <CONFIG_FILE>
          Path and file name of the configuration file

  -d, --dump-default-config
          Dump default config file to stdout and quit

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

As you can see, there is not much to be defined here as all the configuration is set in the configuration TOML file.

To run dbproxy with a config file:

./dbproxy -c /path/to/dbproxy-config.toml

Example Configuration File

You can create a default dbproy configuration file and use it as a starter for your own configuration by running dbproxy with the -d switch; so to create a config file template, just run:

./dbroxy -d > config.toml

This will create a file named config.toml in the current directory with the default configuration.

Here is the current version:

# log level; can be error, warn, info, debug, trace
log_level = "info"

# URL of IdP's discovery endpoint. If not set, the URL is made up by appending
# ".well-known/openid-configuration" to the id_token_validation.iss field.
discovery_url = ""

# URL of IdP's public keystore. If set, the discovery endpoint is not used at all.
jwks_url = ""

# Incoming OpenID Connect tokens are validated using, among other, the following fields.
# Contents of 'iss' field, usually the URL of the authentication realm
iss = ""

# Contents of the 'aud' field for access tokens; for Keycloak, this defaults to 'account'
aud = "account"

# path and file name to GraphQL schema file
schema_file = "/path/to/schema_file.graphql"
# Path and file name of the resolver map file
resolver_map_file = "/path/to/resover_file.toml"
# Path and file name of the type map file
type_map_file = "/path/to_type_map_file.json"

# Type of database; currently, only "postgres" is supported
db_type = "postgres"
# The host where the DB server is running; do not set for PostgreSQL peer authentication mode
# host = "localhost"
# Port the DB server is listening at
# port = 5432
# Database name
db_name = "todo5"

# Username and password are optional and should not be set, because if unset, basebox
# will use peer authentication, which does not require a password to be specified in
# the configuration.
# User name
# username = "db-user"
# Password
# password = "oerhg eghouerghioehgioep "

# Host name or IP address of the network interface dbproxy should listen on for requests.
# Use "" for all interfaces, an IP address for a specific interface or
# "" for local requests.
host = ""

# Port number; default is 80 for http, 443 for https
port = 8081

# number of HTTP server threads to spawn; default is one per CPU core
# workers = 2

# Path and file name of TLS/SSL key file
# cert_key_file = "/path/to/key.pem"

# Path and file name of TLS certificate (chain) file
# cert_file = "/path/to/cert.pem"

More on the configuration options can be found in dbproxy's reference.

Last update: 2023-11-06