On Mon, 09 May 2016 18:15:16 -0400
Tom Lane <tgl@sss.pgh.pa.us> wrote:
> > I did think of that but how do I define that in pg_hba? The host
> > field only specifies the remote IP, not the local one.
>
> Right, but you'd be using it essentially as a loopback interface.
> Say you set it up as 192.168.0.42 --- you'd tell PHP to connect to
> Postgres on 192.168.0.42, and Postgres would also see the PHP
> connections as coming in from 192.168.0.42.
Can you expand on this? I can't seem to get my head around it. How
does the client make it look like it is coming from this ersatz
loopback IP? In fact, I don't even need to add this to pg_hba since
anything outside of my trusted IPs requires a password
I did consider creating another private network (I already have one for
internal communications) so the web server would alias 192.168.100.75
to the interface that 192.168.151.75 is on and the database would do
the same for it's IP. Now I can trigger on the host 192.168.100.75.
In fact, I don't even need to add this to pg_hba since anything outside
of my trusted IPs already requires a password
I was hoping for a way that did not involve changing every PHP user's
web site but I guess there is no way around it.
> I think on most modern OSes you can set up this sort of thing
> entirely in software, not even needing a spare NIC card. I haven't
> done it that way though.
I do things like that all the time.
> > The "all@nobody" field is meant to specify that the remote user is
> > nobody but that they are connecting as user joe.
>
> As John noted, we don't have any idea what the "remote username" is
> at the time we're scanning pg_hba.conf.
So how do you do ident then?
--
D'Arcy J.M. Cain <darcy@druid.net> | Democracy is three wolves
http://www.druid.net/darcy/ | and a sheep voting on
+1 416 788 2246 (DoD#0082) (eNTP) | what's for dinner.
IM: darcy@Vex.Net, VoIP: sip:darcy@druid.net