Home > mailing lists

proper pg_hba config to require ssl from non-local/private ips - Mailing list pgsql-admin

From	Matthew Lenz
Subject	proper pg_hba config to require ssl from non-local/private ips
Date	October 19, 2022 15:49:49
Msg-id	CANpBAJtuxCRnqvixsMFK-D7G=T6T_ma-Xef62saLR8doCW+tRw@mail.gmail.com Whole thread Raw
Responses	Re: proper pg_hba config to require ssl from non-local/private ips (Laurenz Albe <laurenz.albe@cybertec.at>) Re: proper pg_hba config to require ssl from non-local/private ips (Jeff Janes <jeff.janes@gmail.com>)
List	pgsql-admin

Tree view

This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts?

local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
host all all 10.0.0.0/8 md5
host all all 172.16.0.0/12 md5
hostssl all all all md5 clientcert=verify-ca

Also when I require SSL on the client it allows SSL connections without a CA signed cert which I thought clientcert=verify-ca in this pg_hba should require.

pgsql-admin by date:

From: edi mari
Date: 19 October 2022, 15:25:38
Subject: Database schema changes tools

From: Erik Wienhold
Date: 19 October 2022, 16:41:42
Subject: Re: Database schema changes tools

proper pg_hba config to require ssl from non-local/private ips - Mailing list pgsql-admin

Previous

Next