1 |
On 4/24/2013 19:23, Joseph wrote: |
2 |
> The above is not correct as users from any machine on a local network |
3 |
> can connect to my database. |
4 |
> |
5 |
In the scenario you described, as Joost explained, the users on your |
6 |
network are *not* connecting to your database; they are connecting to a |
7 |
website. The web server is connecting to the database on their behalf. |
8 |
PostgreSQL's host-based authentication controls only who access the |
9 |
database directly, not who access the applications that use it. |
10 |
|
11 |
> If I put a line in pg_hba.conf |
12 |
> host all 127.0.0.1 255.255.255.255 trust |
13 |
> |
14 |
This line is not valid. pg_hba.conf entries take the form |
15 |
|
16 |
type database user [address] method [options] |
17 |
|
18 |
"type" can be 'local' (connections over a Unix socket), 'host' |
19 |
(connections over TCP, maybe using SSL), 'hostssl' (connections over TCP |
20 |
using SSL), 'hostnossl' (connections over TCP not using SSL). |
21 |
|
22 |
To achieve what I think you are looking for, just remove all lines from |
23 |
pg_hba.conf except this one:: |
24 |
|
25 |
local all all trust |
26 |
|
27 |
This will prevent anyone from connecting to your databases using TCP at |
28 |
all. If you really need TCP from the localhost instead of Unix sockets, |
29 |
you can also add this line:: |
30 |
|
31 |
host all all 127.0.0.1/32 trust |
32 |
|
33 |
> postgresql will not even starts, I get an error message: |
34 |
> FATAL: could not load pg_hba.conf |
35 |
> LOG: invalid IP mask "trust": Name or service not known |
36 |
> |
37 |
> |
38 |
|
39 |
I would strongly advise you read all of the PostgreSQL documentation |
40 |
before you expose a database to the world. Specifically, please read the |
41 |
official page about pg_hba.conf[1]. |
42 |
|
43 |
[1] http://www.postgresql.org/docs/9.2/interactive/auth-pg-hba-conf.html |
44 |
|
45 |
Regards, |
46 |
|
47 |
-- |
48 |
♫Dustin |
49 |
http://dustin.hatch.name/ |