Re: pg_hba.conf
This is a discussion on Re: pg_hba.conf within the pgsql Admins forums, part of the PostgreSQL category; --> According to the excelent doc, the _first_ matching entry will be used. C:\> -----Original Message----- C:\> From: Dick Davies ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-10-2008, 01:25 AM
| ||||
| ||||
 Re: pg_hba.conf According to the excelent doc, the _first_ matching entry will be used. C:\> -----Original Message----- C:\> From: Dick Davies [mailto:rasputnik@hellooperator.net] C:\> Sent: Dienstag, 22. Februar 2005 12:57 C:\> To: PostgreSQL Admin C:\> Subject: [ADMIN] pg_hba.conf C:\> C:\> C:\> C:\> Just needed clarification on how pg_hba.conf operates. C:\> Does a specific host take precedence over a more general C:\> network setting? C:\> C:\> The local socket is only accessible to a certain group, C:\> but I don't want C:\> the overhead of SSL for loopback connections. If I connect C:\> to the server C:\> from the local machine, the connections show up as (eg) C:\> 10.2.3.4, the NIC C:\> ip. C:\> C:\> I was hoping the more specific 'host' entry would take C:\> entry over the universal C:\> 'hostssl' entry, but it does'nt seem to... C:\> C:\> I have this: C:\> C:\> root@eris  ostgresql80-server$ cat /opt/pgsql/data/pg_hba.confC:\> # TYPE DATABASE USER IP-ADDRESS METHOD C:\> local all all trust C:\> host all all 10.2.3.4/32 md5 C:\> hostssl all all 0.0.0.0/0 md5 C:\> C:\> Is there a way to say 'all IP traffic should be encrypted C:\> except one IP' that C:\> I'm missing? C:\> C:\> I know I could just add the local process into the dba C:\> group, but the app doesn't C:\> reconnect if the socket goes away on a db restart, so C:\> that's not ideal... C:\> C:\> C:\> -- C:\> 'That question was less stupid; though you asked it in a C:\> profoundly stupid way.' C:\> -- Prof. Farnsworth C:\> Rasputin :: Jack of All Trades - Master of Nuns C:\> C:\> ---------------------------(end of C:\> broadcast)--------------------------- C:\> TIP 7: don't forget to increase your free space map settings C:\> ---------------------------(end of broadcast)--------------------------- TIP 9: the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match      |
|
04-10-2008, 01:25 AM
| |||
| |||
| Re: pg_hba.conf * K?PFERL Robert <robert.koepferl@sonorys.at> [0228 12:28]: > According to the excelent doc, the _first_ matching entry will be used. If that were true, the below would work, surely? > C:\> I have this: > C:\> > C:\> root@eris ostgresql80-server$ cat /opt/pgsql/data/pg_hba.conf> C:\> # TYPE DATABASE USER IP-ADDRESS METHOD > C:\> local all all trust > C:\> host all all 10.2.3.4/32 md5 > C:\> hostssl all all 0.0.0.0/0 md5 -- 'Interesting. No, wait, the other thing - Tedious.' -- Bender Rasputin :: Jack of All Trades - Master of Nuns ---------------------------(end of broadcast)--------------------------- TIP 5: Have you checked our extensive FAQ? http://www.postgresql.org/docs/faq |
|
04-10-2008, 01:25 AM
| |||
| |||
| Re: pg_hba.conf If postgres has ssl enabled then it will by default negotiate to use ssl, regardless of the host or hostssl settings in pg_hba. Your client software needs to refuse ssl connections then it will fall back to a non-ssl connection so long as there exists a host setting in pg_hba. The hostssl setting in pg_hba means that it must use ssl to connect, where as the host setting in pg_hba can mean either or, depending on your client. What client software are you using? Regards Donald Fraser ----- Original Message ----- From: "Dick Davies" <rasputnik@hellooperator.net> To: "PostgreSQL Admin" <pgsql-admin@postgresql.org> Sent: Tuesday, February 22, 2005 1:26 PM Subject: Re: [ADMIN] pg_hba.conf > * K?PFERL Robert <robert.koepferl@sonorys.at> [0228 12:28]: > > According to the excelent doc, the _first_ matching entry will be used. > > If that were true, the below would work, surely? > > > C:\> I have this: > > C:\> > > C:\> root@eris ostgresql80-server$ cat /opt/pgsql/data/pg_hba.conf> > C:\> # TYPE DATABASE USER IP-ADDRESS METHOD > > C:\> local all all trust > > C:\> host all all 10.2.3.4/32 md5 > > C:\> hostssl all all 0.0.0.0/0 md5 > > -- > 'Interesting. No, wait, the other thing - Tedious.' > -- Bender > Rasputin :: Jack of All Trades - Master of Nuns > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq > ---------------------------(end of broadcast)--------------------------- TIP 6: Have you searched our list archives? http://archives.postgresql.org |
|
04-10-2008, 01:25 AM
| ||||
| ||||
| Re: pg_hba.conf * Donald Fraser <postgres@kiwi-fraser.net> [0257 13:57]: > If postgres has ssl enabled then it will by default negotiate to use ssl, > regardless of the host or hostssl settings in pg_hba. Your client software > needs to refuse ssl connections then it will fall back to a non-ssl > connection so long as there exists a host setting in pg_hba. The hostssl > setting in pg_hba means that it must use ssl to connect, where as the host > setting in pg_hba can mean either or, depending on your client. > > What client software are you using? psql and ignorance  - though it'll be ruby-postgres for the webapp.Thanks for the explanation. -- 'This must be Thursday. I never could get the hang of Thursdays.' -- Arthur Dent Rasputin :: Jack of All Trades - Master of Nuns ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org |
Linear Mode
