Re: proper pg_hba config to require ssl from non-local/private ips

Поиск
Список
Период
Сортировка
От Matthew Lenz
Тема Re: proper pg_hba config to require ssl from non-local/private ips
Дата
Msg-id CANpBAJvYy8LNPpWZwThNNcLg++Hoz5QooB0w9MqZmicwK9U+rg@mail.gmail.com
обсуждение исходный текст
Ответ на Re: proper pg_hba config to require ssl from non-local/private ips  (Laurenz Albe <laurenz.albe@cybertec.at>)
Список pgsql-admin
Дерево обсуждения
They are external internet routable ips.  They will not match any of the host lines.

On Wed, Oct 19, 2022 at 10:00 AM Laurenz Albe <laurenz.albe@cybertec.at> wrote:
On Wed, 2022-10-19 at 07:49 -0500, Matthew Lenz wrote:
> This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?
>
> local   all             all                                     trust
> host    all             all             127.0.0.1/32            trust
> host    all             all             ::1/128                 trust
> host    all             all             10.0.0.0/8              md5
> host    all             all             172.16.0.0/12           md5
> hostssl all             all             all                     md5 clientcert=verify-ca
>
> Also when I require SSL on the client it allows SSL connections without a CA signed cert
> which I thought clientcert=verify-ca in this pg_hba should require.

Then your client IP address must match the CIDR 172.16.0.0/12, right?

That line matches both unencrypted and encrypted connections, that's why it is used
for SSL connectios as well.  To change that, use "hostnossl" in the penultimate line.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com

В списке pgsql-admin по дате отправления:

Предыдущее
От: Thomas Kellerer
Дата:
Сообщение: Re: Database schema changes tools
Следующее
От: Frank Gard
Дата:
Сообщение: Re: proper pg_hba config to require ssl from non-local/private ips