Re: proper pg_hba config to require ssl from non-local/private ips

On Wed, Oct 19, 2022 at 12:26 PM Frank Gard <
frank(dot)von(dot)postgresql(dot)org(at)familie-gard(dot)de> wrote:

> Hi Jeff,
> Am 19.10.22 um 17:47 schrieb Jeff Janes:
>
> On Wed, Oct 19, 2022 at 8:50 AM Matthew Lenz <mlenz(at)nocturnal(dot)org> wrote:
>
>> This is what I've got currently but it's still allowing non-ssl
>> connections from remote (non-local/private) hosts. Any thoughts?
>>
>
> Did you reload the server configurations after changing the file? What is
> the address of that non-local host, as seen by the server? (you can check
> the first with `select * from pg_hba_file_rules`,
>
> unfortunately that's not true, at least up to Pg v14 (I don't know if
> they've changed this IMHO "unexpected" behaviour in the meantime). The
> pg_hba_file_rules seems to be just an SQL frontend to the hba-file's
> content and does not(!) reflect the currently active configuration. So you
> can see your changes before the are activated, e.g. by calling
> pg_reload_conf().
>

Yes, thanks for the correction. I'd mistaken using it for checking that
the file you changed was the correct one for use by the connected server
(people often edit the wrong pg_hba.conf file), for checking that it had
actually been put into use via a reload, which as you note it doesn't do.

Cheers,

Jeff