Re: pg_hba.conf

On Mon, 20 Nov 2006, Russell Smith wrote:

> Tom Allison wrote:
>> Russell Smith wrote:
>>> Tom Allison wrote:
>>>> Ran into a mystery that I can't seem to figure out....
>>>>
>>>>
>>>> I want to authenticate using SSL for all external IP addresses that I
>>>> have in my subnet. I also want to be able to authenticate via non-SSL
>>>> for localhost (not unix socket).
>>>>
>>>> I thought something like this would work:
>>>>
>>>> host all all 127.0.0.1/32 md5
>>>> hostssl all all 192.168.0.1/24 md5
>>>>
>>>> But I have a localhost client that can't log in because it keeps trying
>>>> to authenticate via SSL.
>>>>
>>>> What am I doing wrong? It seems simple enough.
>>> What command are you typing?
>>>
>>> #nonssl
>>> postgres$ psql -h localhost postgres
>>> #ssl
>>> postgres$ psql -h 192.168.1.1 postgres
>>>
>>
>> psql -h localhost
>>
>> My "other" client is actually postfix and that's also specified as
>> 'localhost'.
>>
>> I suppose you are going to tell me that there is a difference here?
>> I've always assumed you had to use network IP ranges, not DNS like names
>> (albeit localhost is a special case).
> All good, it makes no difference.
>
> try
> hostnossl all all 127.0.0.1/32 md5
>
> that should force non ssl for localhost connections, as long as there are no
> entries before this one for localhost.
>
> Hope that helps.

That is not necessarily true. Some OSes are now defaulting "localhost" to
::1, e.g. the IPv6 variant. Be certain that if you are in one of those
situations that you include the IPv6 address in you configuration, or take
whatever measures are necessary to insure consistency.

- Marc