On Fri, Apr 22, 2005 at 03:02:25PM -0700, -k. wrote:
> > > from my php script, do i need to make a special
> > > connection to the database
> > > or is the same e.g pg_connect(host= localhost
> > >dbname=test user=p
> > > password=p)?
> >
> > You could add "sslmode=require" to attempt only an
> > SSL connection.
>
> I have couple related questions:
>
> Is this necessary if the database is running on the
> same machine (as implied by "host= localhost")? If so
> why?

Probably not; I was simply discussing the mechanism in general. If
the only users who could sniff the connection are privileged users
who already have access to the filesystem and memory, then encrypting
a connection to localhost wouldn't do much except slow down the
connection. It would, however, mean you wouldn't have to remember
to change that later if the web server and database were split onto
separate machines.

> Is it possible to make an SSL connection between
> Apache and Postgres using Unix-domain sockets?

I don't think libpq will attempt SSL over a Unix-domain socket. I
see a comment in fe-connect.c that says "Don't bother requesting
SSL over a Unix socket", although I haven't examined the code to
see if that's the only place such a decision would be made.

BTW, connecting with "host=localhost" makes a TCP connection;
omitting that and making a Unix-domain connection would probably
make the connection more efficient (assuming the system supports
Unix-domain sockets, that is).

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

---------------------------(end of broadcast)---------------------------
TIP 4: Don't 'kill -9' the postmaster