1 |
On Thu, April 25, 2013 01:48, Joseph wrote: |
2 |
> On 04/24/13 22:27, J. Roeleveld wrote: |
3 |
> [snip] |
4 |
>>> |
5 |
>>>Thank you for explanation. |
6 |
>>> |
7 |
>>>That is what I'm confused about. When I connect to "pstgresql" |
8 |
>>>database from the same machine as postgres is running on I can |
9 |
>>>understand. |
10 |
>>>It is a local connection from localhost (127.0.0.1) so everybody is |
11 |
>>>allowed but I don't understand why users on the local network can |
12 |
>>>connect to my machine and login |
13 |
>>>using apache when their IP is different. |
14 |
>>> |
15 |
>>>-- |
16 |
>>>Joseph |
17 |
>> |
18 |
>>Joseph. |
19 |
>> |
20 |
>>The connection to the database is done by apache. Apache connects from |
21 |
>> the server where Apache is running. |
22 |
>> |
23 |
>>Postgresql does not know nor even care where the connection to apache |
24 |
>> originates from. It only sees apache connecting to it. |
25 |
>> |
26 |
>>If you want to prevent people from accessing the website. You will need |
27 |
>> to configure the restriction in Apache or in a firewall. |
28 |
>> |
29 |
>>A webbrowser will NOT connect directly to the database. With a lot of |
30 |
>> larger applications this will not even be possible because the database |
31 |
>> is on a seperate server where the firewall is only allowing the webserver |
32 |
>> to access the database. |
33 |
>> |
34 |
>>Restricting access to a website by setting restrictions on the database |
35 |
>> server uswd by the website is pointless. |
36 |
>> |
37 |
>>-- |
38 |
>>Joost Roeleveld |
39 |
> |
40 |
> Thank you, now this is clear, so that pg_hba.conf has a limited use. |
41 |
|
42 |
It has use for connections made TO the database by whichever application |
43 |
needs the connection. Firefox is NOT such an application. |
44 |
|
45 |
> So simple statement in apache directory: Allow from localhost |
46 |
> will fix the issue. |
47 |
|
48 |
Please check the apache documentation, I believe you also need to add a |
49 |
deny-rule. |
50 |
|
51 |
> When it comes to database. How can I limit certain users from certain IP |
52 |
> to only one database. |
53 |
|
54 |
Will those users connect DIRECTLY to the database server? |
55 |
|
56 |
> I don't thing this is possible via apache! |
57 |
> |
58 |
> The line: "local all all trust" |
59 |
> will give access to everybody. |
60 |
> |
61 |
> How those line in pg_hba.conf should look if I want user from remote |
62 |
> computer to access only one database? |
63 |
> Is it: |
64 |
> local my_database all trust |
65 |
> local others_database all ident alex |
66 |
> |
67 |
> Does "ident" refers to user who is allow to login into database? |
68 |
|
69 |
Yes, provided the OS can identify the username. |
70 |
Apache will likely connect using "apache". |
71 |
|
72 |
> How to list users for a particular database? |
73 |
|
74 |
Try using passwords instead of allowing everyone full access to all |
75 |
databases. |
76 |
|
77 |
-- |
78 |
Joost |