On Tue, Jul 19, 2016 at 8:53 PM, Christoph Berg <cb@df7cb.de> wrote:
Makes sense. Is this something that should be implemented in postgresql, or via pg_createcluster?
Personally I'd like to see pg_createcluster et al mimic upstream as close as possible, so I'd advocate these changes being made upstream in PostgreSQL iteslf.
//Magnus
Am 19. Juli 2016 16:00:05 MESZ, schrieb Magnus Hagander <magnus@hagander.net>:
On Sun, Jul 17, 2016 at 10:07 PM, Christoph Berg <myon@debian.org> wrote:
Re: Peter Eisentraut 2016-07-17 <d6b22200-0e65-d17e-b227-b63d81720fd0@2ndquadrant.com> > On 7/15/16 3:07 PM, Andrew Dunstan wrote: > > Do those packagers who install dummy certificates and turn SSL on also > > change their pg_hba.conf.sample files to use hostssl?. That could go a > > long way towards encouraging people. > > Debian, which I guess sort of started this, does not, but there are > allusions to it in the TODO list.
I guess we should actually do that if we had any non-local(host) entries in there by default, but we don't touch the default pg_hba.conf from pg_createcluster.
What could actually be useful there is to explicitly put hostnossl on the localhost entries. With the current defaults on the clients, that wouldn't break anything, and it would leave people without the performance issues that you run into in the default deployments. And for localhost it really does't make sense to encrypt -- for the local LAN segment that can be argued, but for localhost...