This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?
Did you reload the server configurations after changing the file? What is the address of that non-local host, as seen by the server? (you can check the first with `select * from pg_hba_file_rules`,
unfortunately that's not true, at least up to Pg v14 (I don't know if they've changed this IMHO "unexpected" behaviour in the meantime). The pg_hba_file_rules seems to be just an SQL frontend to the hba-file's content and does not(!) reflect the currently active configuration. So you can see your changes before the are activated, e.g. by calling pg_reload_conf().
Yes, thanks for the correction. I'd mistaken using it for checking that the file you changed was the correct one for use by the connected server (people often edit the wrong pg_hba.conf file), for checking that it had actually been put into use via a reload, which as you note it doesn't do.
