On Thu, Dec 12, 2019 at 10:47:52AM +0100, Peter Eisentraut wrote: > On 2019-12-12 07:24, David Fetter wrote: > > > That problem exists even before you get to the question of whether > > > this specific option is useful or well-designed ... a question I'm > > > not opining about here, but it would certainly require thought. > > I think it was a reasonable extension. We cover lines that start with > > local and host, but they can also start with hostssl and hostnossl. > > I suspect the real purpose here is to easily reject non-SSL connections > altogether. This is currently quite cumbersome and requires careful ongoing > maintenance of pg_hba.conf.
Yes, and kinda. It's certainly possible to put lines high up in pg_hba.conf that read: hostnossl all all 0.0.0.0/0 reject hostnossl all all ::/0 reject and then the only ongoing maintenance is not to put lines above them that contradict it. > But I see two problems with the proposed approach: (1) initdb > doesn't support setting up SSL, so the only thing you can achieve > here is to reject all TCP/IP connections, until you have set up SSL. I don't believe any special setup is needed to require TLS for the connection, which is what this patch handles in a straightforward way. Setting up cert-based auth is the hassle you describe. > (2) The default pg_hba.conf only covers localhost connections. As of this patch, it can be asked to cover all connections. Best, David. -- David Fetter <david(at)fetter(dot)org> http://fetter.org/ Phone: +1 415 235 3778 Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate
