| From: | Michael Swierczek <mike(dot)swierczek(at)gmail(dot)com> |
|---|---|
| To: | Soviet <soviet1337(at)gmail(dot)com> |
| Cc: | pgsql-novice(at)postgresql(dot)org |
| Subject: | Re: PostgreSQL on Amazon EC2/EBS |
| Date: | 2011-07-29 18:49:43 |
| Message-ID: | CAHp1f1Mzi8ojkrr_O6YX3nu3gharz34PkuZ3j-C+19ram695tw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-novice |
On Fri, Jul 29, 2011 at 1:57 PM, Soviet <soviet1337(at)gmail(dot)com> wrote:
> Hey!
> I'm trying to install PostgreSQL 8.4 on my Amazon instance. I've found
> this guide: http://tinyurl.com/y2tcmd8 . Can someone take a look at it
> and check if I won't break anything following this article?
>
> I'm especially concerned about this XFS file system. I've already
> installed bunch of stuff on this instance. Will adding XFS break
> something?
>
> Second question: I'm supposed to add my IP in pg_hba.conf file. But
> what if I have dynamic IP? I certainly can't change it every time I
> want to connect to my database. What if I put 0.0.0.0/0 there? Is it
> very bad practice?
If you are logged in to the machine remotely, you will be using a
local connection, so you can leave the security settings at their
defaults.
If you are connecting to the database remotely, you need some way to
encrypt the connection so it cannot be read in transit by packet
sniffer software, because by default the data is transmitted in plain
text.
The PostgreSQL documentation on setting up SSL between the client and
server is here:
http://www.postgresql.org/docs/current/static/ssl-tcp.html
If you use SSL with client and server side certificates, I believe you
can allow connection attempts to the server from any remote IP. As
long as your keep your client certificate private key secret, no one
who lacks your client private key should be able to connect remotely.
With SSH you can create an encrypted tunnel between the machine
running the PostgreSQL client and the EC2 instance hosting the server,
and then send the database traffic through the tunnel. The preferred
way to use SSH is with shared private keys, which I believe
effectively gives you the same level of security as SSL with
certificates on both sides. The SSH encrypted tunnel provides a
connection that looks like it is local to PostgreSQL, so in that case
you can leave PostgreSQL's own settings at the defaults.
However, I am not a security professional and I'm sure there are other
people on this list with superior knowledge.
Good luck.
-Mike Swierczek
>
> Thank in advance for taking time to answer my noobish questions :).
>
> --
> Sent via pgsql-novice mailing list (pgsql-novice(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-novice
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | James Sasitorn | 2011-07-30 07:09:02 | \d for views display query |
| Previous Message | Soviet | 2011-07-29 17:57:57 | PostgreSQL on Amazon EC2/EBS |