On Wed, 2022-10-19 at 07:49 -0500, Matthew Lenz wrote: > This is what I've got currently but it's still allowing non-ssl connections from remote (non-local/private) hosts. Any thoughts? > > local all all trust > host all all 127.0.0.1/32 trust > host all all ::1/128 trust > host all all 10.0.0.0/8 md5 > host all all 172.16.0.0/12 md5 > hostssl all all all md5 clientcert=verify-ca > > Also when I require SSL on the client it allows SSL connections without a CA signed cert > which I thought clientcert=verify-ca in this pg_hba should require. Then your client IP address must match the CIDR 172.16.0.0/12, right? That line matches both unencrypted and encrypted connections, that's why it is used for SSL connectios as well. To change that, use "hostnossl" in the penultimate line. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
