Bruno Wolff III <bruno@wolff.to> writes:
> The host entry is the one that applies. But the host entry will allow either
> ssl or nonssl, so it doesn't do what you want without cooperation from the
> connecting client. You can use hostnossl to match without allowing ssl.
> You will also want to use a hostssl line with 'reject' authentication
> to keep the later rule from matching. I am not sure if all of the normal
> clients will fallback after trying ssl to not using ssl. That should be
> pretty easy to test though.
Perhaps easier would be to set "PGSSLMODE=allow" (or even "disable") in
the client environment. This will work for libpq-based clients; there
may be something equivalent if you are using other software.
The important point here is that it's the client's choice whether to try
an SSL connection first or not, and libpq defaults to trying SSL first.
So unless you set up pg_hba.conf to actively reject SSL-based
connections, that's what you're going to get.
Also: why aren't you just using a Unix socket? We never do SSL over
Unix sockets.
regards, tom lane