Skip site navigation (1) Skip section navigation (2)

Re: pg_hba.conf

From: Bruno Wolff III <bruno(at)wolff(dot)to>
To: Dick Davies <rasputnik(at)hellooperator(dot)net>
Cc: PostgreSQL Admin <pgsql-admin(at)postgresql(dot)org>
Subject: Re: pg_hba.conf
Date: 2005-02-22 14:47:51
Message-ID: 20050222144751.GD22550@wolff.to (view raw or flat)
Thread:
Lists: pgsql-admin
On Tue, Feb 22, 2005 at 11:56:41 +0000,
  Dick Davies <rasputnik(at)hellooperator(dot)net> wrote:
> 
> Just needed clarification on how pg_hba.conf operates.
> Does a specific host take precedence over a more general network setting?

No. The first line that matches the triple connection type, database name
and user name is the one that is used. Typically you can get what you
want by using the narrower rule first.

> The local socket is only accessible to a certain group, but I don't want
> the overhead of SSL for loopback connections. If I connect to the server 
> from the local machine, the connections show up as (eg) 10.2.3.4, the NIC
> ip.
> 
> I was hoping the more specific 'host' entry would take entry over the universal
> 'hostssl' entry, but it does'nt seem to...

The host entry is the one that applies. But the host entry will allow either
ssl or nonssl, so it doesn't do what you want without cooperation from the
connecting client. You can use hostnossl to match without allowing ssl.
You will also want to use a hostssl line with 'reject' authentication
to keep the later rule from matching. I am not sure if all of the normal
clients will fallback after trying ssl to not using ssl. That should be
pretty easy to test though.

> 
> I have this:
> 
> root(at)eris:postgresql80-server$ cat /opt/pgsql/data/pg_hba.conf
> # TYPE     DATABASE    USER        IP-ADDRESS      METHOD
> local      all         all                         trust
> host    all         all         10.2.3.4/32   md5
> hostssl    all         all      0.0.0.0/0   md5
> 
> Is there a way to say 'all IP traffic should be encrypted except one IP' that
> I'm missing?
> 
> I know I could just add the local process into the dba group, but the app doesn't 
> reconnect if the socket goes away on a db restart, so that's not ideal...
> 
> 
> -- 
> 'That question was less stupid; though you asked it in a profoundly stupid way.'
> 		-- Prof. Farnsworth
> Rasputin :: Jack of All Trades - Master of Nuns
> 
> ---------------------------(end of broadcast)---------------------------
> TIP 7: don't forget to increase your free space map settings

In response to

Responses

pgsql-admin by date

Next:From: Bruno Wolff IIIDate: 2005-02-22 14:54:17
Subject: Re: postgres user, forgotten password
Previous:From: Bruno Wolff IIIDate: 2005-02-22 14:33:37
Subject: Re: Corrupt data directory

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group