Re: Distinguishing between connections in pg_hba.conf

On Mon, 2005-05-16 at 15:05, Adam Witney wrote:
> On 16/5/05 8:17 pm, "Scott Marlowe" <smarlowe(at)g2switchworks(dot)com> wrote:
>
> > On Mon, 2005-05-16 at 07:35, Adam Witney wrote:
> >> Hi,
> >>
> >> I have a web application (PHP) which runs on its own box, and connects to a
> >> database on a second box. The database box is behind the firewall and only
> >> accepts connections from the web server.
> >>
> >> I have set up stunnel on the web server and I would like to allow some
> >> limited external direct access to the db server, but I would like
> >> connections from stunnel to only access a specific database. The problem is
> >> that both the web server and the stunnel connections will come from the same
> >> box, and hence the same IP address, is there anyway I can distinguish
> >> between these two connection methods in pg_hba.conf? (I can't do it on
> >> username either)
> >
> > Add an alias to each machine's ethernet card, along with a name. So, if
> > you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db
> > server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them
> > some similar name, like web02 and db02 if their names are web01 and
> > db01. Set up routes to use the other IP addresses with those names and
> > you should be able to do it.
> >
> > I haven't fleshed it out step by step, but you get the basic idea,
> > right?
>
> Hi,
>
> Thanks for your reply.
>
> So I see how you add an extra IP address to the web server box, but how do
> you assign it so that requests from apache appear on the db box as one IP
> address, and requests coming through stunnel appear as the second IP
> address?

That's kinda OS dependent. On RedHat you should have some kind of
netconfig command or something that will make a setting in the
/etc/sysconfig/network-scriptsifcfg-xxx files to set routes.

In Fedora Core 2 the command that brings up the gui config too is
system-config-network