Quick Links

proper pg_hba config to require ssl from non-local/private ips

From:	Matthew Lenz <mlenz(at)nocturnal(dot)org>
To:	pgsql-admin(at)lists(dot)postgresql(dot)org
Subject:	proper pg_hba config to require ssl from non-local/private ips
Date:	2022-10-19 12:49:49
Message-ID:	CANpBAJtuxCRnqvixsMFK-D7G=T6T_ma-Xef62saLR8doCW+tRw@mail.gmail.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-admin

This is what I've got currently but it's still allowing non-ssl connections
from remote (non-local/private) hosts. Any thoughts?

local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.0.0.0/8 md5
host all all 172.16.0.0/12 md5
hostssl all all all md5
clientcert=verify-ca

Also when I require SSL on the client it allows SSL connections without a
CA signed cert which I thought clientcert=verify-ca in this pg_hba should
require.

Responses

Re: proper pg_hba config to require ssl from non-local/private ips at 2022-10-19 15:00:32 from Laurenz Albe
Re: proper pg_hba config to require ssl from non-local/private ips at 2022-10-19 15:47:14 from Jeff Janes

Browse pgsql-admin by date

	From	Date	Subject
Next Message	Erik Wienhold	2022-10-19 13:41:42	Re: Database schema changes tools
Previous Message	edi mari	2022-10-19 12:25:38	Database schema changes tools