This is what I've got currently but it's still allowing non-ssl connections
from remote (non-local/private) hosts. Any thoughts?
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.0.0.0/8 md5
host all all 172.16.0.0/12 md5
hostssl all all all md5
clientcert=verify-ca
Also when I require SSL on the client it allows SSL connections without a
CA signed cert which I thought clientcert=verify-ca in this pg_hba should
require.