Re: Peter Eisentraut 2016-07-17 <d6b22200-0e65-d17e-b227-b63d81720fd0@2ndquadrant.com>
> On 7/15/16 3:07 PM, Andrew Dunstan wrote:
> > Do those packagers who install dummy certificates and turn SSL on also
> > change their pg_hba.conf.sample files to use hostssl?. That could go a
> > long way towards encouraging people.
>
> Debian, which I guess sort of started this, does not, but there are
> allusions to it in the TODO list.
I guess we should actually do that if we had any non-local(host)
entries in there by default, but we don't touch the default
pg_hba.conf from pg_createcluster.
Possibly we could add some hostssl example in comments to the end of
the .sample file so people could grow the habit of using that instead
of host (I certainly aren't doing myself that yet), but I'd rather see
that changed upstream.
So, how about something like this for the end of pg_hba.conf.sample?
# Examples for allowing access from given networks:
#hostssl all all 192.0.2.0/24 @authmethod@
#hostssl all all 2001:DB8::/32 @authmethod@
(These are "documentation" networks from RF5737/RFC3849.)
Christoph
