Re: Force ssl connection

On Tue, Jul 9, 2013 at 1:55 PM, Muhammad Bashir Al-Noimi
<mbnoimi(at)gmail(dot)com> wrote:
> On 07/09/2013 07:54 PM, Jeff Janes wrote:
>>
>> On Tue, Jul 9, 2013 at 10:02 AM, Muhammad Bashir Al-Noimi
>> <mbnoimi(at)gmail(dot)com> wrote:
>>>
>>> So may you please be more specific, what's wrong in my configurations?
>>>
>>> My pg_hba.conf content is:
>>>
>>> local all postgres peer
>>> local all all peer
>>> host all all 127.0.0.1/32 md5
>>> host all all ::1/128 md5
>>> host all all 0.0.0.0/0 md5
>>> hostssl all all 0.0.0.0/0 md5
>>> hostnossl all all 0.0.0.0/0 reject
>>
>> The line below accepts all connections, whether ssl or nossl:
>>
>> host all all 0.0.0.0/0 md5
>>
>> It takes precedence over the reject line, as it occurs in the file
>> before the reject.
>>
>> If you remove that line, then you don't need the reject line at all.
>
> I commented it and restarted the server but I still get same result!

From your original email:
db.setHostName("localhost");

So localhost is probably matching "127.0.0.1/32" or "::1/128", which
are explicitly allowed.

> How can I absolutely be sure that my server rejects not ssl connections?

Delete or comment out every line of pg_hba.conf which you either don't
want, or don't understand.

You could move the reject line to the top of the file, but that is no
substitute for understanding every line.

Cheers,

Jeff