Josh Berkus wrote:
>Andrew, Tom:
>
>This will be a really nice feature for those of us with PG servers that
>participate in VPNs. Currently I'm blocking certain interfaces using
>pg_hba.conf but would prefer a "listen" address instead.
>
>
You can configure listening addresses now using the virtual_host GUC
setting. The documentation was execrable, but Tom has fixed that.
>Of course, the drawback to this is that confused DBAs will have their
>pg_hba.conf conflict with their postgresql.conf, and cut off all access to
>the DB. But I don't know how we can protect against that.
>
>
That surely can't be more than are seen now on IRC who can't contact
their DBs because they forgot to turn on tcpip. Plus this does not
intefere at all with Unix sockets, so they should still be able to use
the local psql (except on Windows, where you have to use tcpip sockets).
I am betting that 95%+ of users will either use the default (no remote
connections) or "*" (bind to all interfaces).
>Might I suggest that this default to "127.0.0.1" in postgresql.conf.sample?
>This is a reasonably safe default, and would allow us to use the same default
>for Windows as for other OSes. It would also eliminate about 15% of the
>questions I get on a weekly basis from PHP users. ("uncomment the line
>tcpip_sockets ...").
>
>
>
The intention is to make "localhost" the default. That should translate
to 127.0.0.1 and ::1 (if they have ipv6 on). Of course, if they have a
broken resolver things might get sticky, but that is true now anyway.
>If I had time, I would also love to see setting the password for the postgres
>user become part of the initdb script. However, I can see that this wouldn't
>work with packages.
>
>
>
Orthogonal problem.
cheers
andrew