pg_hba.conf

Just needed clarification on how pg_hba.conf operates.
Does a specific host take precedence over a more general network setting?

The local socket is only accessible to a certain group, but I don't want
the overhead of SSL for loopback connections. If I connect to the server
from the local machine, the connections show up as (eg) 10.2.3.4, the NIC
ip.

I was hoping the more specific 'host' entry would take entry over the universal
'hostssl' entry, but it does'nt seem to...

I have this:

root@eris:postgresql80-server$ cat /opt/pgsql/data/pg_hba.conf
# TYPE     DATABASE    USER        IP-ADDRESS      METHOD
local      all         all                         trust
host    all         all         10.2.3.4/32   md5
hostssl    all         all      0.0.0.0/0   md5

Is there a way to say 'all IP traffic should be encrypted except one IP' that
I'm missing?

I know I could just add the local process into the dba group, but the app doesn't
reconnect if the socket goes away on a db restart, so that's not ideal...


--
'That question was less stupid; though you asked it in a profoundly stupid way.'
        -- Prof. Farnsworth
Rasputin :: Jack of All Trades - Master of Nuns