| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | Rob Sargent <robjsargent(at)gmail(dot)com>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: localhost ssl |
| Date: | 2021-01-22 20:52:39 |
| Message-ID: | 5f8db865-2f0e-6764-f2f0-b344feb42368@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 1/22/21 11:49 AM, Rob Sargent wrote:
>
>
>> > Also I'm guessing you have ssl = on in postgresql.conf and server
>> cert setup.
>
> Sorry, here's a likely explaination from postgresql.conf
>
> ssl = on
> #ssl_ca_file = ''
>
> ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
> #ssl_crl_file = ''
>
> ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
>
> I have no recollection of making those choices (or what I had for
> breakfast).
>
>>
>> If you want to enforce SSL then:
>>
>> "
>> hostssl
>>
>> This record matches connection attempts made using TCP/IP, but
>> only when the connection is made with SSL encryption.
>
> Do you have any thoughts on question #2?
No, as I really have no idea what:
"In production I hope to name the role with each connection as I want
the search_path set by the connecting role. ..."
means?
I would point out this:
https://www.postgresql.org/docs/12/auth-cert.html
"User name mapping can be used to allow cn to be different from the
database user name."
which leads to this:
https://www.postgresql.org/docs/12/auth-username-maps.html
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rob Sargent | 2021-01-22 21:11:55 | Re: localhost ssl |
| Previous Message | Steve Baldwin | 2021-01-22 20:44:57 | Re: FDW connections |