| From: | Adrian Klaver <adrian(dot)klaver(at)gmail(dot)com> |
|---|---|
| To: | Muhammad Bashir Al-Noimi <mbnoimi(at)gmail(dot)com> |
| Cc: | jeff(dot)janes(at)gmail(dot)com, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Force ssl connection |
| Date: | 2013-07-09 21:16:03 |
| Message-ID: | 51DC7D93.3040602@gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 07/09/2013 01:55 PM, Muhammad Bashir Al-Noimi wrote:
> On 07/09/2013 07:54 PM, Jeff Janes wrote:
>> On Tue, Jul 9, 2013 at 10:02 AM, Muhammad Bashir Al-Noimi
>> <mbnoimi(at)gmail(dot)com> wrote:
>>> So may you please be more specific, what's wrong in my configurations?
>>>
>>> My pg_hba.conf content is:
>>>
>>> local all postgres peer
>>> local all all peer
>>> host all all 127.0.0.1/32 md5
>>> host all all ::1/128 md5
>>> host all all 0.0.0.0/0 md5
>>> hostssl all all 0.0.0.0/0 md5
>>> hostnossl all all 0.0.0.0/0 reject
>> The line below accepts all connections, whether ssl or nossl:
>>
>> host all all 0.0.0.0/0 md5
>>
>> It takes precedence over the reject line, as it occurs in the file
>> before the reject.
>>
>> If you remove that line, then you don't need the reject line at all.
> I commented it and restarted the server but I still get same result!
Where are you connecting from? If you are connecting locally using
sockets(local above) or host(line 3,4,5 above) then you are bypassing ssl.
>
> How can I absolutely be sure that my server rejects not ssl connections?
>
Make sure you use only hostssl not host or local. hostssl forces ssl
only connections.
pg_hba.conf is powerful but the interactions can be somewhat confusing.
It took me several passes through the docs before I began to understand.
--
Adrian Klaver
adrian(dot)klaver(at)gmail(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2013-07-09 21:21:30 | Re: Force ssl connection |
| Previous Message | Jeff Janes | 2013-07-09 21:14:57 | Re: Force ssl connection |