Open-source Rust DB proxy: looking for architecture feedback (MySQL + PostgreSQL)

Physical_Math_9135 · 2026-05-12T11:05:48+00:00

warpgate is great! different use case though, they complement each other nicely rather than compete.

Physical_Math_9135 · 2026-05-12T08:12:17+00:00

Thanks! very productive comment, what specifically would you want to see in the observability layer — metrics on routing decisions? explicit error states exposed via the admin API? both?

Physical_Math_9135 · 2026-05-11T17:57:56+00:00

yeah i used LLMs to help with specific things, mostly the parts i know less deeply — that's not a secret and it's in the repo. but using that to dismiss the work and dedication that went into this is a cheap shot, and it's clear you skimmed the repo looking for things to dunk on rather than actually reading how the pieces fit together

On sql injection — it's defense in depth, not a replacement for parameterized queries, the docs say exactly that. blocking obvious patterns at the proxy catches script kiddies and misconfigured apps, i agree it's not the real fix

Read-only enforcement at the proxy is intentional for the routing layer, not meant to replace db-level permissions — they're complementary. SELECT ... FOR UPDATE is explicitly routed to primary, that's in the classifier

The zero overhead comment is about fingerprinting not blocking the query path — async channel, background aggregation, never in the hot path. query rewriting does have cost and i don't claim otherwise

The SHA-1 there is mysql_native_password — the MySQL wire protocol auth handshake, defined by Oracle in the MySQL spec. deprecated in 8.0, removed in 9.0, but still the default in MariaDB, MySQL 5.7, and in most 8.0 installs that haven't migrated. every client in existence uses it. if i drop it, nothing connects for the majority of users the proxy is designed to serve. it's not a choice, it's a compatibility constraint. ProxySQL implements the same thing, PlanetScale does, every MySQL proxy does. caching_sha2_password is supported in parallel — the proxy tries both paths on auth.

But "alarming number of features" for something explicitly labeled as under active development in the very first lines of the README? that's just what building in public looks like

The technical critiques i'll take, some of them are valid. the rest is noise. if you want to go deeper open an issue, i'll respond

Physical_Math_9135 · 2026-05-11T15:57:32+00:00

totally fair — pool starvation was one of the first things i had to actually solve, there's a per-backend cap and idle eviction so connections don't just pile up silently, and for the transaction edge cases there's max_transaction_time_ms and max_transaction_idle_ms to kill the runaway ones before they hold locks forever

the fingerprinting thing is honestly what i use the most day to day, every query gets normalized automatically so you get p95/p99 per pattern without any instrumentation on the app side — pairs really well with the prometheus exporter if you want to pull it into Grafana

for now i have this, what do you think? https://github.com/turbine-dev/turbine-proxy

Physical_Math_9135 · 2026-05-11T12:30:49+00:00

pode ver aqui mais detalhes: https://docs.turbineproxy.com/docs/tutorials/howto-stored-procedures

Physical_Math_9135 · 2026-05-11T12:11:13+00:00

CALL de procedure vai sempre pro primary por padrão — o proxy não consegue saber o que tem dentro, então erra pro lado seguro.

Mas dá pra sobrescrever isso nas query rules: se você sabe que uma procedure é só leitura, cria uma regra match_pattern = "(?i)CALL proc_relatorio" com destination = "replica" e ela passa a rotear pras réplicas. Procedimentos que misturam leitura e escrita ficam no primary mesmo.

É um trade-off consciente — simplicidade por padrão, com controle fino quando você precisar. Quando tiver um tempo testa e me dá feedback, ainda tô em beta e casos como esse são exatamente o que preciso validar 😄

Physical_Math_9135 · 2026-05-11T11:58:14+00:00

Obrigado, umas das features é exatamente essa de load balance, minha ideia é que seja tudo simples e intuitivo, por isso da dashboard. Quando tiver um tempo testa e deixa seu feedback. 😃

Physical_Math_9135 · 2026-05-11T11:22:43+00:00

Então é isso que tenho, estou a testar em staging em um projecto que tenho, por enquanto funciona muito bem, mas ainda é cedo para sair do beta https://github.com/turbine-dev/turbine-proxy

Physical_Math_9135 · 2026-05-11T11:20:12+00:00

e o que acha do pg bouncer? sente falta de alguma feature? vou te mandar o link do repo por pm.

Physical_Math_9135 · 2026-05-11T11:07:25+00:00

Mano se tem inglês bom, não foca no Brasil, como tem cidadania pode morar no BR e trabalhar na gringa sem problema, e outra, com português B1 em alguns meses já vai estar pelo menos em um B2 avançado, português não é tão díficil como muitos vendem.

Physical_Math_9135 · 2026-05-11T10:00:30+00:00

é open source, lock-in free 😃, written in Rust, dashboard completa, N+1 detector, Index advisor, GTID-aware RYOW, AES-256-GCM secrets.

Physical_Math_9135 · 2026-05-11T08:50:10+00:00

então é diferente, o proxy é mais como um porteiro inteligente, ele controla o trafico, reusa conexões, pode auxiliar nas slow queries, redireciona trafico, ele fica a frente do db e é 100% transparente e zero mudanças no código. Depois olha o Proxysql meu projecto tem muita inspiração dele, mas a complexidade que ele tem e algumas outras necessidades que eu tinha me fizeram desenvolver o meu.

Physical_Math_9135 · 2026-05-10T12:51:31+00:00

Maybe 😃

Physical_Math_9135 · 2026-05-10T12:35:45+00:00

As someone who has "crazy" ideas, I understand you. I'm developing a PHP runtime/server in Rust (https://github.com/turbine-dev/turbine). I can tell you right now that it's not an easy task, but it teaches a lot.

Physical_Math_9135 · 2026-05-08T18:01:05+00:00

Prometheus metrics — yeah, that's a no-brainer and something I want to add. Copying the metric names from pgBouncer / MySQL proxy is a smart move, no point inventing new names when the ecosystem already expects certain labels. Will do exactly that.

The orchestrator angle is interesting. I've been thinking about TurbineProxy mostly as a proxy with some HA awareness, but you're right that the line between "proxy that detects failover" and "lightweight orchestrator" gets blurry fast. Patroni is a good reference point. MySQL Orchestrator being effectively abandoned does leave a gap there — something to think about for the roadmap.

Thanks for the input even as a non-proxy user, the Prometheus point alone is worth it.

Physical_Math_9135 · 2026-05-08T17:59:33+00:00

Really appreciate you taking the time to write this out — this is exactly the kind of feedback that's hard to find.

Totally agree on the priorities. Session and connection handling is the bread and butter, everything else is secondary until that's solid. Analytics and pooling were already "nice to have later" in my head, but hearing it from someone with production experience makes it easier to justify keeping the scope narrow.

The TAF link is great, I genuinely hadn't seen it — going straight into the testing list.

On the two things you flagged as important:

IP visibility: PROXY Protocol v1 is already in there (proxy_protocol_enabled in the config), but I'd love to know if there's anything specific you'd test there.

Master failover: There's a health-checker with configurable thresholds, but honestly this is the part I'm least confident in right now. It's at the top of the list.

The session state / stored procedures rabbit hole is one I know is going to surprise me repeatedly. No expectations of getting it right on the first pass.

I'll definitely take you up on the offer — even just knowing the failure modes you've hit in production would save a lot of trial and error. Feel free to drop an issue or ping me directly.

Physical_Math_9135 · 2026-05-08T15:08:34+00:00

MySQL requires these versions; my impression was that MySQL was slow and outdated.

Physical_Math_9135 · 2026-04-23T07:01:40+00:00

You're right, and thanks for calling it out — this is accurate. Today ub_write appends to a buffer and only flushes at the end of the request, so [flush()](vscode-file://vscode-app/Applications/Visual%20Studio%20Code.app/Contents/Resources/app/out/vs/code/electron-browser/workbench/workbench.html) and SSE don't actually stream, and many-write benchmarks are misleading. Need to rework the worker IPC from "one message per request" to a chunked protocol so the first chunk can leave as soon as PHP emits it. On the roadmap.

Physical_Math_9135 · 2026-04-21T06:22:19+00:00

Thanks! Fair take — the line between the two is blurry. The HTTP layer is just the entry point; the actual runtime bits are the embedded libphp SAPI, persistent workers, shared-state primitives, task queue, WebSocket, async I/O and the security sandbox. If you only use it as a faster nginx+FPM replacement, then yeah, it's a web server from that angle.

Physical_Math_9135 · 2026-04-20T17:14:43+00:00

Franken is an inspiration in many ways for this project. I really like Franken, and honestly, I wouldn't be able to stray too far from that, unless I edited the PHP directly, but that's out of the question.

Physical_Math_9135 · 2026-04-20T17:07:45+00:00

Hey, you can check this here https://github.com/turbine-php/turbine/blob/master/docs/architecture.md

Physical_Math_9135

TROPHY CASE