| Lists: | pgsql-admin |
|---|
| From: | KÖPFERL Robert <robert(dot)koepferl(at)sonorys(dot)at> |
|---|---|
| To: | PostgreSQL Admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf |
| Date: | 2005-02-22 12:21:51 |
| Message-ID: | ED4E30DD9C43D5118DFB00508BBBA76EB165D6@neptun.sonorys.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-admin |
According to the excelent doc, the _first_ matching entry will be used.
C:\> -----Original Message-----
C:\> From: Dick Davies [mailto:rasputnik(at)hellooperator(dot)net]
C:\> Sent: Dienstag, 22. Februar 2005 12:57
C:\> To: PostgreSQL Admin
C:\> Subject: [ADMIN] pg_hba.conf
C:\>
C:\>
C:\>
C:\> Just needed clarification on how pg_hba.conf operates.
C:\> Does a specific host take precedence over a more general
C:\> network setting?
C:\>
C:\> The local socket is only accessible to a certain group,
C:\> but I don't want
C:\> the overhead of SSL for loopback connections. If I connect
C:\> to the server
C:\> from the local machine, the connections show up as (eg)
C:\> 10.2.3.4, the NIC
C:\> ip.
C:\>
C:\> I was hoping the more specific 'host' entry would take
C:\> entry over the universal
C:\> 'hostssl' entry, but it does'nt seem to...
C:\>
C:\> I have this:
C:\>
C:\> root(at)eris:postgresql80-server$ cat /opt/pgsql/data/pg_hba.conf
C:\> # TYPE DATABASE USER IP-ADDRESS METHOD
C:\> local all all trust
C:\> host all all 10.2.3.4/32 md5
C:\> hostssl all all 0.0.0.0/0 md5
C:\>
C:\> Is there a way to say 'all IP traffic should be encrypted
C:\> except one IP' that
C:\> I'm missing?
C:\>
C:\> I know I could just add the local process into the dba
C:\> group, but the app doesn't
C:\> reconnect if the socket goes away on a db restart, so
C:\> that's not ideal...
C:\>
C:\>
C:\> --
C:\> 'That question was less stupid; though you asked it in a
C:\> profoundly stupid way.'
C:\> -- Prof. Farnsworth
C:\> Rasputin :: Jack of All Trades - Master of Nuns
C:\>
C:\> ---------------------------(end of
C:\> broadcast)---------------------------
C:\> TIP 7: don't forget to increase your free space map settings
C:\>
| From: | Dick Davies <rasputnik(at)hellooperator(dot)net> |
|---|---|
| To: | PostgreSQL Admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf |
| Date: | 2005-02-22 13:26:15 |
| Message-ID: | 20050222132615.GS66519@eris.tenfour |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-admin |
* K?PFERL Robert <robert(dot)koepferl(at)sonorys(dot)at> [0228 12:28]:
> According to the excelent doc, the _first_ matching entry will be used.
If that were true, the below would work, surely?
> C:\> I have this:
> C:\>
> C:\> root(at)eris:postgresql80-server$ cat /opt/pgsql/data/pg_hba.conf
> C:\> # TYPE DATABASE USER IP-ADDRESS METHOD
> C:\> local all all trust
> C:\> host all all 10.2.3.4/32 md5
> C:\> hostssl all all 0.0.0.0/0 md5
--
'Interesting. No, wait, the other thing - Tedious.'
-- Bender
Rasputin :: Jack of All Trades - Master of Nuns
| From: | "Donald Fraser" <postgres(at)kiwi-fraser(dot)net> |
|---|---|
| To: | "[ADMIN]" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf |
| Date: | 2005-02-22 13:48:11 |
| Message-ID: | 008201c518e5$268d77b0$0264a8c0@demolish1 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-admin |
If postgres has ssl enabled then it will by default negotiate to use ssl,
regardless of the host or hostssl settings in pg_hba. Your client software
needs to refuse ssl connections then it will fall back to a non-ssl
connection so long as there exists a host setting in pg_hba. The hostssl
setting in pg_hba means that it must use ssl to connect, where as the host
setting in pg_hba can mean either or, depending on your client.
What client software are you using?
Regards
Donald Fraser
----- Original Message -----
From: "Dick Davies" <rasputnik(at)hellooperator(dot)net>
To: "PostgreSQL Admin" <pgsql-admin(at)postgresql(dot)org>
Sent: Tuesday, February 22, 2005 1:26 PM
Subject: Re: [ADMIN] pg_hba.conf
> * K?PFERL Robert <robert(dot)koepferl(at)sonorys(dot)at> [0228 12:28]:
> > According to the excelent doc, the _first_ matching entry will be used.
>
> If that were true, the below would work, surely?
>
> > C:\> I have this:
> > C:\>
> > C:\> root(at)eris:postgresql80-server$ cat /opt/pgsql/data/pg_hba.conf
> > C:\> # TYPE DATABASE USER IP-ADDRESS METHOD
> > C:\> local all all trust
> > C:\> host all all 10.2.3.4/32 md5
> > C:\> hostssl all all 0.0.0.0/0 md5
>
> --
> 'Interesting. No, wait, the other thing - Tedious.'
> -- Bender
> Rasputin :: Jack of All Trades - Master of Nuns
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq
>
| From: | Dick Davies <rasputnik(at)hellooperator(dot)net> |
|---|---|
| To: | Donald Fraser <postgres(at)kiwi-fraser(dot)net> |
| Cc: | PostgreSQL Admin <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: pg_hba.conf |
| Date: | 2005-02-22 14:25:16 |
| Message-ID: | 20050222142516.GU66519@eris.tenfour |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Lists: | pgsql-admin |
* Donald Fraser <postgres(at)kiwi-fraser(dot)net> [0257 13:57]:
> If postgres has ssl enabled then it will by default negotiate to use ssl,
> regardless of the host or hostssl settings in pg_hba. Your client software
> needs to refuse ssl connections then it will fall back to a non-ssl
> connection so long as there exists a host setting in pg_hba. The hostssl
> setting in pg_hba means that it must use ssl to connect, where as the host
> setting in pg_hba can mean either or, depending on your client.
>
> What client software are you using?
psql and ignorance :)- though it'll be ruby-postgres for the webapp.
Thanks for the explanation.
--
'This must be Thursday. I never could get the hang of Thursdays.'
-- Arthur Dent
Rasputin :: Jack of All Trades - Master of Nuns