Thread: Distinguishing between connections in pg_hba.conf
Hi, I have a web application (PHP) which runs on its own box, and connects to a database on a second box. The database box is behind the firewall and only accepts connections from the web server. I have set up stunnel on the web server and I would like to allow some limited external direct access to the db server, but I would like connections from stunnel to only access a specific database. The problem is that both the web server and the stunnel connections will come from the same box, and hence the same IP address, is there anyway I can distinguish between these two connection methods in pg_hba.conf? (I can't do it on username either) Thanks for any advice Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Mon, 2005-05-16 at 07:35, Adam Witney wrote: > Hi, > > I have a web application (PHP) which runs on its own box, and connects to a > database on a second box. The database box is behind the firewall and only > accepts connections from the web server. > > I have set up stunnel on the web server and I would like to allow some > limited external direct access to the db server, but I would like > connections from stunnel to only access a specific database. The problem is > that both the web server and the stunnel connections will come from the same > box, and hence the same IP address, is there anyway I can distinguish > between these two connection methods in pg_hba.conf? (I can't do it on > username either) Add an alias to each machine's ethernet card, along with a name. So, if you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them some similar name, like web02 and db02 if their names are web01 and db01. Set up routes to use the other IP addresses with those names and you should be able to do it. I haven't fleshed it out step by step, but you get the basic idea, right?
On 16/5/05 8:17 pm, "Scott Marlowe" <smarlowe@g2switchworks.com> wrote: > On Mon, 2005-05-16 at 07:35, Adam Witney wrote: >> Hi, >> >> I have a web application (PHP) which runs on its own box, and connects to a >> database on a second box. The database box is behind the firewall and only >> accepts connections from the web server. >> >> I have set up stunnel on the web server and I would like to allow some >> limited external direct access to the db server, but I would like >> connections from stunnel to only access a specific database. The problem is >> that both the web server and the stunnel connections will come from the same >> box, and hence the same IP address, is there anyway I can distinguish >> between these two connection methods in pg_hba.conf? (I can't do it on >> username either) > > Add an alias to each machine's ethernet card, along with a name. So, if > you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db > server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them > some similar name, like web02 and db02 if their names are web01 and > db01. Set up routes to use the other IP addresses with those names and > you should be able to do it. > > I haven't fleshed it out step by step, but you get the basic idea, > right? Hi, Thanks for your reply. So I see how you add an extra IP address to the web server box, but how do you assign it so that requests from apache appear on the db box as one IP address, and requests coming through stunnel appear as the second IP address? Thanks again Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Mon, 2005-05-16 at 15:05, Adam Witney wrote: > On 16/5/05 8:17 pm, "Scott Marlowe" <smarlowe@g2switchworks.com> wrote: > > > On Mon, 2005-05-16 at 07:35, Adam Witney wrote: > >> Hi, > >> > >> I have a web application (PHP) which runs on its own box, and connects to a > >> database on a second box. The database box is behind the firewall and only > >> accepts connections from the web server. > >> > >> I have set up stunnel on the web server and I would like to allow some > >> limited external direct access to the db server, but I would like > >> connections from stunnel to only access a specific database. The problem is > >> that both the web server and the stunnel connections will come from the same > >> box, and hence the same IP address, is there anyway I can distinguish > >> between these two connection methods in pg_hba.conf? (I can't do it on > >> username either) > > > > Add an alias to each machine's ethernet card, along with a name. So, if > > you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db > > server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them > > some similar name, like web02 and db02 if their names are web01 and > > db01. Set up routes to use the other IP addresses with those names and > > you should be able to do it. > > > > I haven't fleshed it out step by step, but you get the basic idea, > > right? > > Hi, > > Thanks for your reply. > > So I see how you add an extra IP address to the web server box, but how do > you assign it so that requests from apache appear on the db box as one IP > address, and requests coming through stunnel appear as the second IP > address? That's kinda OS dependent. On RedHat you should have some kind of netconfig command or something that will make a setting in the /etc/sysconfig/network-scriptsifcfg-xxx files to set routes. In Fedora Core 2 the command that brings up the gui config too is system-config-network
On Mon, May 16, 2005 at 03:31:27PM -0500,
Scott Marlowe <smarlowe@g2switchworks.com> wrote
a message of 48 lines which said:
> > but how do you assign it so that requests from apache appear on
> > the db box as one IP address, and requests coming through stunnel
> > appear as the second IP address?
>
> That's kinda OS dependent. On RedHat you should have some kind of
> netconfig command
I do not think it was the question.
For stunnel, the solution is probably :
-I host
IP of the outgoing interface is used as source for remote connections.
Use this option to bind a static local IP address, instead.
On Tue, 2005-05-17 at 05:08, Stephane Bortzmeyer wrote: > On Mon, May 16, 2005 at 03:31:27PM -0500, > Scott Marlowe <smarlowe@g2switchworks.com> wrote > a message of 48 lines which said: > > > > but how do you assign it so that requests from apache appear on > > > the db box as one IP address, and requests coming through stunnel > > > appear as the second IP address? > > > > That's kinda OS dependent. On RedHat you should have some kind of > > netconfig command > > I do not think it was the question. > > For stunnel, the solution is probably : > > -I host > IP of the outgoing interface is used as source for remote connections. > Use this option to bind a static local IP address, instead. Sorry, I'm not that familiar with stunnel, so I didn't really get it that that's what the OP was asking...
On 17/5/05 2:59 pm, "Scott Marlowe" <smarlowe@g2switchworks.com> wrote: > On Tue, 2005-05-17 at 05:08, Stephane Bortzmeyer wrote: >> On Mon, May 16, 2005 at 03:31:27PM -0500, >> Scott Marlowe <smarlowe@g2switchworks.com> wrote >> a message of 48 lines which said: >> >>>> but how do you assign it so that requests from apache appear on >>>> the db box as one IP address, and requests coming through stunnel >>>> appear as the second IP address? >>> >>> That's kinda OS dependent. On RedHat you should have some kind of >>> netconfig command >> >> I do not think it was the question. >> >> For stunnel, the solution is probably : >> >> -I host >> IP of the outgoing interface is used as source for remote >> connections. >> Use this option to bind a static local IP address, instead. > > Sorry, I'm not that familiar with stunnel, so I didn't really get it > that that's what the OP was asking... Hi, Yep I missed the -I switch in the stunnel docs. And using Scott's idea of an network interface alias, apache connects with one IP and stunnel connects with another! Thanks again for your help Adam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.