Sign in Subscribe
Concepts

Postgres Binary Protocol Proxying with Open Policy Agent (OPA)

Andrios Robert

1 min read

The query hit the database hard. You watch rows stream back, but this time every packet is inspected, every byte judged. Open Policy Agent (OPA) is sitting in the middle, enforcing rules before Postgres even replies. This is Postgres Binary Protocol proxying with OPA—fast, precise, uncompromising.

Most access control in Postgres happens at the SQL or application layer. That leaves a gap. Protocol-level proxying closes that gap by intercepting all traffic between clients and the database. With OPA wired in, you can apply declarative policies to the raw Postgres Binary Protocol, not just to SQL statements. Policies are written in Rego and evaluated in real time against each message: authentication requests, prepared queries, transaction commands, even low-level protocol details.

Why proxy at the binary protocol level?

  • You avoid relying on the database’s role system alone.
  • You can enforce consistent rules across microservices and tools hitting Postgres.
  • You can block or transform queries before they reach the database.
  • You can record detailed context from every connection for audit and compliance.

An OPA-powered Postgres proxy sits between the client and the database. It decodes the binary protocol, passes the relevant data to OPA, and lets OPA’s decision engine return “allow” or “deny”—or even modify the message. This architecture makes policy enforcement transparent to applications. No changes in client code. No rewriting queries. The proxy handles protocol parsing, routing, and control.

Integrating this takes three main steps:

  1. Deploy a Postgres binary protocol proxy with hooks for decision API calls.
  2. Connect those hooks to an OPA instance loaded with your Rego policies.
  3. Test with realistic workloads to verify latency, throughput, and correctness.

Performance matters. The Postgres protocol is efficient; your proxy must match it. Use streaming parsing to minimize buffering. Keep OPA policy evaluation tight by reducing external data lookups and preloading needed context. Combine allow/deny checks with logging for traceability.

With this setup, you gain centralized, consistent control over every Postgres interaction, even from tools and scripts you didn’t write. This is fine-grained security, defined in code, deployed at the protocol level, and enforced in real time.

You can see this live in minutes. Visit hoop.dev and run a Postgres Binary Protocol proxy backed by OPA—no guesswork, no waiting, just results you control.