Postgres Pro
Downloads
Home   >   mailing lists

Re: I dont understand host connections - Mailing list pgsql-novice

From ghaverla@freenet.edmonton.ab.ca
Subject Re: I dont understand host connections
Date
Msg-id Pine.A41.3.95.1021007132854.5026B-100000@freenet.edmonton.ab.ca
Whole thread Raw
In response to I dont understand host connections  (Thad Humphries <thad@mindwrap.com>)
List pgsql-novice
Tree view 
On 7 Oct 2002, Thad Humphries wrote:

> I am trying a host connection but to no avail.  In postgresql.conf I
> have tcpip_socket = true and port = 5432.  In pq_hda.conf I have
>
> host     all      0.0.0.0     0.0.0.0      md5       optix.conf

> local      all                             md5      optix.conf
>
> in pg_hda.conf and restart PostgreSQL, I'm prompted for a password and
> can log in.

First off, you have a typo.  The file is pg_hba.conf (PostGresql_
HostBasedAccess.CONFiguration).  But I think you really are using
the right file.

(What follows is how I justify this stuff to myself, and may
not be literally correct.)

It is not unusual to have multiple entries in pg_hba.conf.  Like
a lot of other access configuration files (say /etc/hosts.allow),
postgres traverses the rules in order, looking for a match.  I
believe the default for falling off the end of the rules without
a match is to reject the connection.

Now, the "local" connection is used to indicate connections
to postgres over UNIX sockets, not over a TCP/IP connection.
It is basically the safest connection type, as the calling
user/process must be local.

Every machine with an IP stack is going to have 127.0.0.1
set up as a local TCP/IP connection.  If, in addition you
are on a LAN, you may also have a local IP (or multiple
IPs) which correspond to the various interfaces on the
machine.  So, a local entry may in fact be composed of
something like:

local  all                                md5  password_file
host   all  127.0.0.1   255.255.255.255   md5  password_file
host   all  192.168.0.1 255.255.255.255   md5  password_file

So, local processes have an option of connecting by UNIX sockets,
connections to localhost and connections to the IP of one of
the NIC interfaces (here assumed to be 192.168.0.1).

After you have listed your local connections, you may want to
go on to specify non-local connections.  Such as accepting
connections from other machines on your LAN, or ignoring
requests from some troublesome machine that tries to connect
(and you aren't blocking by firewall).

You may want to put an explicit reject last.

host  all  0.0.0.0  0.0.0.0  reject

I hope the above is close to being literally correct and useful.

Gord

pgsql-novice by date:

Previous
From: Thad Humphries
Date:
Subject: I dont understand host connections
Next
From: Hernán Andrés Breinbauer Román
Date:
Subject: migration problem in SQL Query with date filter