I have a situation where I need postgres to LISTEN and allow BINDs to
its TCP/IP port (5432) only to connections that originate from
localhost. I need it to not accept *socket* connections if requests
come in from off-box. If I try to set up pg_hba.conf such that it
rejects off-box requests, it seems to do this after it permits the
socket connection, and that won't do for our security geeks here.
For example, here's the difference:
kwright@merrimack:~$ curl http://duck37:5432
curl: (52) Empty reply from server
kwright@merrimack:~$ curl http://duck37:5433
curl: (7) couldn't connect to host
kwright@merrimack:~$
Note that the outside world seems to be able to connect to 5432 just
fine, although any *database* connections get (properly) rejected.
I cannot turn off TCP/IP entirely because I have a Java application that
uses JDBC.
Can somebody tell me whether this is an innate capability of postgres,
or whether I will need to modify the base code (and if so, WHERE I would
modify it?)
Thanks,
Karl Wright