| From: | Matthew Lenz <mlenz(at)nocturnal(dot)org> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Re: proper pg_hba config to require ssl from non-local/private ips |
| Date: | 2022-10-19 16:26:20 |
| Message-ID: | CANpBAJvYy8LNPpWZwThNNcLg++Hoz5QooB0w9MqZmicwK9U+rg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
They are external internet routable ips. They will not match any of
the host lines.
On Wed, Oct 19, 2022 at 10:00 AM Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
wrote:
> On Wed, 2022-10-19 at 07:49 -0500, Matthew Lenz wrote:
> > This is what I've got currently but it's still allowing non-ssl
> connections from remote (non-local/private) hosts. Any thoughts?
> >
> > local all all trust
> > host all all 127.0.0.1/32 trust
> > host all all ::1/128 trust
> > host all all 10.0.0.0/8 md5
> > host all all 172.16.0.0/12 md5
> > hostssl all all all md5
> clientcert=verify-ca
> >
> > Also when I require SSL on the client it allows SSL connections without
> a CA signed cert
> > which I thought clientcert=verify-ca in this pg_hba should require.
>
> Then your client IP address must match the CIDR 172.16.0.0/12, right?
>
> That line matches both unencrypted and encrypted connections, that's why
> it is used
> for SSL connectios as well. To change that, use "hostnossl" in the
> penultimate line.
>
> Yours,
> Laurenz Albe
> --
> Cybertec | https://www.cybertec-postgresql.com
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Frank Gard | 2022-10-19 16:26:56 | Re: proper pg_hba config to require ssl from non-local/private ips |
| Previous Message | Thomas Kellerer | 2022-10-19 16:04:56 | Re: Database schema changes tools |