Database Proxy

Enterprise Coming Soon

Secure, audited database access through RedFox. No direct database exposure, full query logging and role-based restrictions.

Status: Code written and compiles. Currently in internal testing — not yet available in production builds.

Supported databases

PostgreSQL

Wire protocol proxy. Supports prepared statements, transactions, SSL. Versions 12+.

MySQL

MySQL wire protocol. Supports COM_QUERY and prepared statements. MySQL 5.7+ and MariaDB 10.3+.

MSSQL

TDS protocol proxy. SQL Server 2016+ with Windows and SQL authentication.

Query audit

Full query logging

Every SQL query is captured, timestamped and attributed to the authenticated user. Queries are stored in the WORM audit log — immutable and tamper-proof.

Query filtering

Define policies to block dangerous queries: DROP, TRUNCATE, DELETE without WHERE. Policies are configurable per role and per database.

Sensitive data masking

Configure column-level masking rules. Sensitive fields (PII, financial data) are redacted in query results for non-privileged users.

Configuration

  1. Add a database target — Navigate to Targets → Add Target, select "Database", choose the engine (PostgreSQL, MySQL, MSSQL), enter the connection details.
  2. Store credentials — Add database credentials to the vault. Each user role can map to a different database user with different privileges.
  3. Define query policies — Under Settings → Database Policies, configure which SQL statement types are allowed per role.
  4. Connect — Users connect through RedFox using their standard database client (psql, mysql, ssms) pointed at the RedFox proxy endpoint, or via the built-in web SQL console.

Security

  • Database servers are never exposed directly — only RedFox connects to them
  • Database credentials are stored encrypted in the vault (AES-256-GCM) and injected at connection time
  • All queries are logged immutably in the WORM audit trail
  • Query policies prevent accidental or malicious data destruction
  • Password rotation integrates with the database proxy for zero-downtime credential changes

Need help with database proxy configuration? Contact [email protected]. For Enterprise licensing, reach out to [email protected].