| 1 |
On Thu, April 25, 2013 01:48, Joseph wrote: |
| 2 |
> On 04/24/13 22:27, J. Roeleveld wrote: |
| 3 |
> [snip] |
| 4 |
>>> |
| 5 |
>>>Thank you for explanation. |
| 6 |
>>> |
| 7 |
>>>That is what I'm confused about. When I connect to "pstgresql" |
| 8 |
>>>database from the same machine as postgres is running on I can |
| 9 |
>>>understand. |
| 10 |
>>>It is a local connection from localhost (127.0.0.1) so everybody is |
| 11 |
>>>allowed but I don't understand why users on the local network can |
| 12 |
>>>connect to my machine and login |
| 13 |
>>>using apache when their IP is different. |
| 14 |
>>> |
| 15 |
>>>-- |
| 16 |
>>>Joseph |
| 17 |
>> |
| 18 |
>>Joseph. |
| 19 |
>> |
| 20 |
>>The connection to the database is done by apache. Apache connects from |
| 21 |
>> the server where Apache is running. |
| 22 |
>> |
| 23 |
>>Postgresql does not know nor even care where the connection to apache |
| 24 |
>> originates from. It only sees apache connecting to it. |
| 25 |
>> |
| 26 |
>>If you want to prevent people from accessing the website. You will need |
| 27 |
>> to configure the restriction in Apache or in a firewall. |
| 28 |
>> |
| 29 |
>>A webbrowser will NOT connect directly to the database. With a lot of |
| 30 |
>> larger applications this will not even be possible because the database |
| 31 |
>> is on a seperate server where the firewall is only allowing the webserver |
| 32 |
>> to access the database. |
| 33 |
>> |
| 34 |
>>Restricting access to a website by setting restrictions on the database |
| 35 |
>> server uswd by the website is pointless. |
| 36 |
>> |
| 37 |
>>-- |
| 38 |
>>Joost Roeleveld |
| 39 |
> |
| 40 |
> Thank you, now this is clear, so that pg_hba.conf has a limited use. |
| 41 |
|
| 42 |
It has use for connections made TO the database by whichever application |
| 43 |
needs the connection. Firefox is NOT such an application. |
| 44 |
|
| 45 |
> So simple statement in apache directory: Allow from localhost |
| 46 |
> will fix the issue. |
| 47 |
|
| 48 |
Please check the apache documentation, I believe you also need to add a |
| 49 |
deny-rule. |
| 50 |
|
| 51 |
> When it comes to database. How can I limit certain users from certain IP |
| 52 |
> to only one database. |
| 53 |
|
| 54 |
Will those users connect DIRECTLY to the database server? |
| 55 |
|
| 56 |
> I don't thing this is possible via apache! |
| 57 |
> |
| 58 |
> The line: "local all all trust" |
| 59 |
> will give access to everybody. |
| 60 |
> |
| 61 |
> How those line in pg_hba.conf should look if I want user from remote |
| 62 |
> computer to access only one database? |
| 63 |
> Is it: |
| 64 |
> local my_database all trust |
| 65 |
> local others_database all ident alex |
| 66 |
> |
| 67 |
> Does "ident" refers to user who is allow to login into database? |
| 68 |
|
| 69 |
Yes, provided the OS can identify the username. |
| 70 |
Apache will likely connect using "apache". |
| 71 |
|
| 72 |
> How to list users for a particular database? |
| 73 |
|
| 74 |
Try using passwords instead of allowing everyone full access to all |
| 75 |
databases. |
| 76 |
|
| 77 |
-- |
| 78 |
Joost |
Archives