Skip site navigation (1) Skip section navigation (2)

Re: pg_hba.conf

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Bruno Wolff III <bruno(at)wolff(dot)to>
Cc: Dick Davies <rasputnik(at)hellooperator(dot)net>,PostgreSQL Admin <pgsql-admin(at)postgresql(dot)org>
Subject: Re: pg_hba.conf
Date: 2005-02-22 15:18:38
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-admin
Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> The host entry is the one that applies. But the host entry will allow either
> ssl or nonssl, so it doesn't do what you want without cooperation from the
> connecting client. You can use hostnossl to match without allowing ssl.
> You will also want to use a hostssl line with 'reject' authentication
> to keep the later rule from matching. I am not sure if all of the normal
> clients will fallback after trying ssl to not using ssl. That should be
> pretty easy to test though.

Perhaps easier would be to set "PGSSLMODE=allow" (or even "disable") in
the client environment.  This will work for libpq-based clients; there
may be something equivalent if you are using other software.

The important point here is that it's the client's choice whether to try
an SSL connection first or not, and libpq defaults to trying SSL first.
So unless you set up pg_hba.conf to actively reject SSL-based
connections, that's what you're going to get.

Also: why aren't you just using a Unix socket?  We never do SSL over
Unix sockets.

			regards, tom lane

In response to


pgsql-admin by date

Next:From: Zouari FouratDate: 2005-02-22 15:35:49
Subject: psql work but not phppgadmin neither pgadmin3
Previous:From: Bruno Wolff IIIDate: 2005-02-22 14:54:17
Subject: Re: postgres user, forgotten password

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group