On Thu, Dec 12, 2019 at 10:47:52AM +0100, Peter Eisentraut wrote:
> On 2019-12-12 07:24, David Fetter wrote:
> > > That problem exists even before you get to the question of whether
> > > this specific option is useful or well-designed ... a question I'm
> > > not opining about here, but it would certainly require thought.
> > I think it was a reasonable extension. We cover lines that start with
> > local and host, but they can also start with hostssl and hostnossl.
>
> I suspect the real purpose here is to easily reject non-SSL connections
> altogether. This is currently quite cumbersome and requires careful ongoing
> maintenance of pg_hba.conf.
Yes, and kinda. It's certainly possible to put lines high up in
pg_hba.conf that read:
hostnossl all all 0.0.0.0/0 reject
hostnossl all all ::/0 reject
and then the only ongoing maintenance is not to put lines above them
that contradict it.
> But I see two problems with the proposed approach: (1) initdb
> doesn't support setting up SSL, so the only thing you can achieve
> here is to reject all TCP/IP connections, until you have set up SSL.
I don't believe any special setup is needed to require TLS for the
connection, which is what this patch handles in a straightforward way.
Setting up cert-based auth is the hassle you describe.
> (2) The default pg_hba.conf only covers localhost connections.
As of this patch, it can be asked to cover all connections.
Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778
Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate
