Thread: PostgreSQL on Amazon EC2/EBS
Hey! I'm trying to install PostgreSQL 8.4 on my Amazon instance. I've found this guide: http://tinyurl.com/y2tcmd8 . Can someone take a look at it and check if I won't break anything following this article? I'm especially concerned about this XFS file system. I've already installed bunch of stuff on this instance. Will adding XFS break something? Second question: I'm supposed to add my IP in pg_hba.conf file. But what if I have dynamic IP? I certainly can't change it every time I want to connect to my database. What if I put 0.0.0.0/0 there? Is it very bad practice? Thank in advance for taking time to answer my noobish questions :).
On Fri, Jul 29, 2011 at 1:57 PM, Soviet <soviet1337@gmail.com> wrote: > Hey! > I'm trying to install PostgreSQL 8.4 on my Amazon instance. I've found > this guide: http://tinyurl.com/y2tcmd8 . Can someone take a look at it > and check if I won't break anything following this article? > > I'm especially concerned about this XFS file system. I've already > installed bunch of stuff on this instance. Will adding XFS break > something? > > Second question: I'm supposed to add my IP in pg_hba.conf file. But > what if I have dynamic IP? I certainly can't change it every time I > want to connect to my database. What if I put 0.0.0.0/0 there? Is it > very bad practice? If you are logged in to the machine remotely, you will be using a local connection, so you can leave the security settings at their defaults. If you are connecting to the database remotely, you need some way to encrypt the connection so it cannot be read in transit by packet sniffer software, because by default the data is transmitted in plain text. The PostgreSQL documentation on setting up SSL between the client and server is here: http://www.postgresql.org/docs/current/static/ssl-tcp.html If you use SSL with client and server side certificates, I believe you can allow connection attempts to the server from any remote IP. As long as your keep your client certificate private key secret, no one who lacks your client private key should be able to connect remotely. With SSH you can create an encrypted tunnel between the machine running the PostgreSQL client and the EC2 instance hosting the server, and then send the database traffic through the tunnel. The preferred way to use SSH is with shared private keys, which I believe effectively gives you the same level of security as SSL with certificates on both sides. The SSH encrypted tunnel provides a connection that looks like it is local to PostgreSQL, so in that case you can leave PostgreSQL's own settings at the defaults. However, I am not a security professional and I'm sure there are other people on this list with superior knowledge. Good luck. -Mike Swierczek > > Thank in advance for taking time to answer my noobish questions :). > > -- > Sent via pgsql-novice mailing list (pgsql-novice@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-novice >
How was this resolved? We are using a 3 tier approach with a load balancer, apache web server, and postgresql database. We would like to connect our Drupal site running on the apache webserver with the Postgres database server. We are unsure the best and most secure way to configure hba.conf to accept connections from the apache webserver when the IP addresses of the webserver tend to change. Since we are using Scalr.net there are some interesting ways to specific the instances as seen here http://wiki.scalr.net/Tutorials/Connecting_to_the_database Does anyone have any suggestions? Furthermore does anyone have any recommendations on the best way to connect Drupal to Postgresql with an external server? http://drupal.org/node/26836 -- View this message in context: http://postgresql.1045698.n5.nabble.com/PostgreSQL-on-Amazon-EC2-EBS-tp4647936p4718844.html Sent from the PostgreSQL - novice mailing list archive at Nabble.com.
On August 20, 2011, J <archjpres@yahoo.com> wrote:
> We are unsure the best and most secure way to configure hba.conf to
> accept connections from the apache webserver when the IP addresses of
> the webserver tend to change.
>
You have to allow 10.0.0.0/8. Only your own instances will be able to talk to the port anyway, with appropriate ec2 security groups setup.