Skip to content


dbproxy is a database proxy running in front of the PostgreSQL database. It receives validated requests from the broker, translates them to SQL, hits the database and returns the result.

In a production environment, dbproxy should run on a dedicated machine which is ideally the same machine the PostgreSQL server is running on. We will provide more on the production configuration soon.

For now, as basebox is not production ready yet, dbproxy is run in a terminal window.

Command Line Parameters

To see dbproxy's command line arguments, call it with the --help switch:

 ./dbproxy --help
This is dbproxy, basebox' secure database proxy server.

Usage: dbproxy [OPTIONS]

  -c, --config-file <CONFIG_FILE>
          Path and file name of the configuration file

  -d, --dump-default-config
          Dump default config file to stdout and quit

  -h, --help
          Print help (see a summary with '-h')

  -V, --version
          Print version

As you can see, there is not much to be defined here as all the configuration is set in the configuration TOML file.

To run dbproxy with a config file:

./dbproxy -c /path/to/dbproxy-config.toml

Example Configuration File

You can create a default dbproy configuration file and use it as a starter for your own configuration by running dbproxy with the -d switch; so to create a config file template, just run:

./dbroxy -d > config.toml

This will create a file named config.toml in the current directory with the default configuration.

Here is the current version:

# log level; can be error, warn, info, debug, trace
log_level = "info"

# Key stores can be configured either via URL (in several ways, see below), or
# by using a local file. Local file configuration prevents network requests,
# thus facilitating strongly firewalled deployments. It can also help in a
# containerized scenario where the IdP issuer field might conflict between
# frontend/client and backend(s):
# From a user point of view, broker and IdP might both be running on `localhost`
# (or any other network hostname), but inside the container network the IdP is
# reachable only under its container name (e.g. `idp` or `keycloak`).
# While this can be mitigated by manually editing hosts files or deploying a
# DNS, file-based key store configuration is more straightforward.
# To populate a local key store file, simply download the JWKS data from your IdP, e.g.
# jwks_file = "/path/to/certs.json"
# URL of IdP's discovery endpoint. If not set, the URL is made up by appending
# ".well-known/openid-configuration" to the `iss` field.
# discovery_url = ""
# URL of IdP's public keystore. If set, the discovery endpoint is not used at all.
# jwks_url = ""

# Access token validation:
# Contents of 'iss' field, usually the URL of the authentication realm
iss = ""
# Contents of the 'aud' field for access tokens; for Keycloak, this defaults to 'account';
# for Auth0, this is the value of the Default Audience field in your Tenant settings.
aud = "account"

# path and file name to GraphQL schema file
schema_file = "/path/to/schema_file.graphql"
# Path and file name of the resolver map file
resolver_map_file = "/path/to/resover_file.toml"
# Path and file name of the type map file
type_map_file = "/path/to_type_map_file.json"

# Type of database; currently, only "postgres" is supported
db_type = "postgres"
# The host where the DB server is running; do not set for PostgreSQL peer authentication mode
# host = "localhost"
# Port the DB server is listening at
# port = 5432
# Database name
db_name = "todo5"

# Username and password are optional and should not be set, because if unset, basebox
# will use peer authentication, which does not require a password to be specified in
# the configuration.
# User name
# username = "db-user"
# Password
# password = "oerhg eghouerghioehgioep "

# Host name or IP address of the network interface dbproxy should listen on for requests.
# Use "" for all interfaces, an IP address for a specific interface or
# "" for local requests.
host = ""

# Port number; default is 80 for http, 443 for https
port = 8081

# Maximum allowed HTTP request size in bytes; default is 256k
# max_request_size = 262144

# number of HTTP server threads to spawn; default is one per CPU core
# workers = 2

# Path and file name of TLS/SSL key file
# tls_key_file = "/path/to/key.pem"

# Path and file name of TLS certificate (chain) file
# tls_cert_file = "/path/to/cert.pem"

More on the configuration options can be found in dbproxy's reference.