Database Reference
In-Depth Information
To let in only clients using SSL, use
hostssl
instead of
host
.
The following fragment of
pg_hba.conf
enables non-SSL connections from local subnet
(192.168.1.0/24), but requires SSL for access from everybody accessing the database from
other networks.
host
all
all
192.168.54.1/32
md5
hostssl
all
all
0.0.0.0/0
md5
Getting SSL key and certificate
For web servers, you usually get your SSL certificate from a recognized Certificate Authority
(CA), as most browsers complain if the certificate is not issued by a known CA, and make
the user jump through hoops if it wants to connect to a server with a certificate issued by an
unknown CA.
For your database, it is usually sufficient to generate the certificate yourself using
openssL
.
The following commands generate a self-signed certificate for your server:
openssl genrsa 1024 > server.key
openssl req -new -x509 -key server.key -out server.crt
Read more on x509 keys and certificates in openSSL's
HowTo
pages at the following website:
Setting up a client to use SSL
Client behavior is controlled by an environment variable, PGSSLMODE, that can have
the following values, as defined in the official PostgreSQL documents:
SSL mode Eavesdropping
protection
MITM
protection
Statement
disabled
No
No
I don't care about security, and I don't want to pay
the overhead of encryption.
allow
Maybe
No
I don't care about security, but I will pay the
overhead of encryption if the server insists on it.
prefer
Maybe
No
I don't care about encryption, but I wish to pay the
overhead of encryption if the server supports it.
require
Yes
No
I want my data to be encrypted, and I accept the
overhead. I trust that the network will make sure I
always connect to the server that I want.
verify-ca
Yes
Depends on
CA-policy
I want my data encrypted, and I accept the
overhead. I want to be sure that I connect to a
server that I trust.
