| From: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
|---|---|
| To: | Matthew Lenz <mlenz(at)nocturnal(dot)org> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: proper pg_hba config to require ssl from non-local/private ips |
| Date: | 2022-10-19 15:47:14 |
| Message-ID: | CAMkU=1zmeaZrLziKiYB62weDDMtQ1MpBb-6ja3M4=7D5HoSZmQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
On Wed, Oct 19, 2022 at 8:50 AM Matthew Lenz <mlenz(at)nocturnal(dot)org> wrote:
> This is what I've got currently but it's still allowing non-ssl
> connections from remote (non-local/private) hosts. Any thoughts?
>
Did you reload the server configurations after changing the file? What is
the address of that non-local host, as seen by the server? (you can check
the first with `select * from pg_hba_file_rules`, and second with `select
client_addr from pg_stat_activity where pid=pg_backend_pid();`
>
> local all all trust
> host all all 127.0.0.1/32 trust
> host all all ::1/128 trust
> host all all 10.0.0.0/8 md5
> host all all 172.16.0.0/12 md5
> hostssl all all all md5
> clientcert=verify-ca
>
> Also when I require SSL on the client it allows SSL connections without a
> CA signed cert which I thought clientcert=verify-ca in this pg_hba should
> require.
>
No, clientcert=verify-ca forces the server to check the client's
certificate. Forcing the client to check the server's certificate must be
done on the client end. (And of course if you are not connecting via that
line of the pg_hba, then that setting doesn't do anything.)
Cheers,
Jeff
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Kellerer | 2022-10-19 16:04:56 | Re: Database schema changes tools |
| Previous Message | Laurenz Albe | 2022-10-19 15:00:32 | Re: proper pg_hba config to require ssl from non-local/private ips |