Here is an example of some pg_hba.conf settings with comments which people might find useful. The database in this case is on a separate server. The application server (with tomcat and all) is on a machine called appserver on 192.168.1.102. Other machines we want to allow to connect from the office are on the 192.168.2.0 subnet.
# do peer identification on unix domain (local) sockets local all postgres peer local all all peer # you need the following if you have dhis running on same machine as database server # because its java it can't use the unix domain sockets above, so we allow direct non-ssl # connection through tcp socket with password # IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::1/128 md5 # special treatment for our appserver - it is in the same cabinet as the db server connected via local backplane so we allow # non-ssl connection from this machine only which is something of a speed vs security tradeoff host all all 192.168.1.102/32 md5 # allow MOH lan to connect but must use ssl hostssl all all 192.168.2.0/24 md5 # Only if you must - allow world to connect but definitely must use ssl # I don't really like this, but frequently people want it because they want to connect through various routes # At the very least we insist on ssl # hostssl all all 0.0.0.0/0 md5 # This would be better, using ssl client cert, effectively equivalent to Jason's openvpn # It has the same headache of managing the distribution of client certs # hostssl all all 0.0.0.0/0 cert Thats it. At least it reflects my understanding of postgres access settings. Happy to accept improvements and/or clarifications. Bob On 4 March 2014 18:40, Jason Pickering <jason.p.picker...@gmail.com> wrote: > We have used OpenVPN/IPSec to allow direct access to the database for > those users who need it. Therefore users do not need shell access and > strong certificates can be used. This was viewed as a lower security risk > than having PHP on the server or by opening up the database itself > directly. Might also be a route to consider. > > Regards, > Jason > > --Sent from my mobile > On Mar 4, 2014 8:02 PM, "Bob Jolliffe" <bobjolli...@gmail.com> wrote: > >> yes people talk highly of phpPgAdmin. It has some small benefit over >> pgadminIII that you don't have to explicitly open up your pg_hba.conf >> settings to the full range of user/hosts which might connect. >> >> I guess it would be a simple enough app to embed phpPgAdmin into some >> sort of iframe for integration with dhis ... >> >> >> On 4 March 2014 16:16, Jason Pickering <jason.p.picker...@gmail.com>wrote: >> >>> Hi Greg, >>> You may want to check out phpPgAdmin. >>> >>> PgAdminIII could also of course be used by directly connecting to the >>> database with an ODBC connection. >>> >>> Regards, >>> Jason >>> >>> --Sent from my mobile >>> On Mar 4, 2014 12:26 PM, "Greg Rowles" <greg.row...@gmail.com> wrote: >>> >>>> Hi Devs >>>> >>>> Is anyone aware of a web-based query gui-toolset? We have an 'IE' >>>> designed tool here: >>>> >>>> http://hispsa.org/staging_timesheets/tablerels/viewtables.asp >>>> >>>> It only works on IE (sometimes) but at least allows users to see table >>>> designs and edit SQL syntax. We're looking at something that we can plug-in >>>> ontop of DHIS2 for our advanced users... >>>> >>>> Any responses will be appreciated... >>>> >>>> Thanks, >>>> Greg >>>> -- >>>> >>>> Business Intelligence Planner >>>> *Health Information Systems Programme* >>>> *- - - - - - - **- - - - - - - **- - - - - - - **- - - - - - - **- - - >>>> - - * >>>> Mobile : 073 246 2992 >>>> Landline: 021 554 3130 >>>> Fax: 086 733 8432 >>>> Skype: gregory_rowles >>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~dhis2-devs >>>> Post to : dhis2-devs@lists.launchpad.net >>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~dhis2-devs >>> Post to : dhis2-devs@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~dhis2-devs >>> More help : https://help.launchpad.net/ListHelp >>> >>> >>
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
