From: | Matthew Lenz <mlenz(at)nocturnal(dot)org> |
---|---|
To: | Jeff Janes <jeff(dot)janes(at)gmail(dot)com> |
Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
Subject: | Re: proper pg_hba config to require ssl from non-local/private ips |
Date: | 2022-10-19 16:29:26 |
Message-ID: | CANpBAJv81XXimKZCnv-u2yBGw6LyTTW7Y6eyUBZUwcMKa=unZw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-admin |
On Wed, Oct 19, 2022 at 10:47 AM Jeff Janes <jeff(dot)janes(at)gmail(dot)com> wrote:
> On Wed, Oct 19, 2022 at 8:50 AM Matthew Lenz <mlenz(at)nocturnal(dot)org> wrote:
>
>> This is what I've got currently but it's still allowing non-ssl
>> connections from remote (non-local/private) hosts. Any thoughts?
>>
>
> Did you reload the server configurations after changing the file? What is
> the address of that non-local host, as seen by the server? (you can check
> the first with `select * from pg_hba_file_rules`, and second with `select
> client_addr from pg_stat_activity where pid=pg_backend_pid();`
>
They are seen as external internet routable ips as expected (which
should only match on the hostssl line).
>
>
>>
>> local all all trust
>> host all all 127.0.0.1/32 trust
>> host all all ::1/128 trust
>> host all all 10.0.0.0/8 md5
>> host all all 172.16.0.0/12 md5
>> hostssl all all all md5
>> clientcert=verify-ca
>>
>> Also when I require SSL on the client it allows SSL connections without a
>> CA signed cert which I thought clientcert=verify-ca in this pg_hba should
>> require.
>>
>
> No, clientcert=verify-ca forces the server to check the client's
> certificate. Forcing the client to check the server's certificate must be
> done on the client end. (And of course if you are not connecting via that
> line of the pg_hba, then that setting doesn't do anything.)
>
>
I didn't say the client was meant to enforce it. I meant the server should
be enforcing it (it's not).
> Cheers,
>
> Jeff
>
From | Date | Subject | |
---|---|---|---|
Next Message | Jeff Janes | 2022-10-19 16:36:55 | Re: proper pg_hba config to require ssl from non-local/private ips |
Previous Message | Frank Gard | 2022-10-19 16:26:56 | Re: proper pg_hba config to require ssl from non-local/private ips |