Re: proper pg_hba config to require ssl from non-local/private ips

On Wed, Oct 19, 2022 at 8:50 AM Matthew Lenz <mlenz@nocturnal.org> wrote:

This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?

Did you reload the server configurations after changing the file?  What is the address of that non-local host, as seen by the server? (you can check the first with `select * from pg_hba_file_rules`, and second with `select client_addr from pg_stat_activity where pid=pg_backend_pid();`

 

local   all             all                                     trust
host    all             all             127.0.0.1/32            trust
host    all             all             ::1/128                 trust
host    all             all             10.0.0.0/8              md5
host    all             all             172.16.0.0/12           md5
hostssl all             all             all                     md5 clientcert=verify-ca

Also when I require SSL on the client it allows SSL connections without a CA signed cert which I thought clientcert=verify-ca in this pg_hba should require.

No, clientcert=verify-ca forces the server to check the client's certificate.  Forcing the client to check the server's certificate must be done on the client end.  (And of course if you are not connecting via that line of the pg_hba, then that setting doesn't do anything.)

Cheers,

Jeff