"D'Arcy J.M. Cain" <darcy@xxxxxxxxx> writes: > On Mon, 09 May 2016 17:12:22 -0400 > Tom Lane <tgl@xxxxxxxxxxxxx> wrote: >> If the same user id + database combinations might be valid in both >> cases (from both PHP and manual connections) I think your only other >> option for distinguishing which auth method to use is to make them >> come in on different addresses. Can you set up a secondary IP >> interface that only the PHP server uses, for example? > I did think of that but how do I define that in pg_hba? The host field > only specifies the remote IP, not the local one. Right, but you'd be using it essentially as a loopback interface. Say you set it up as 192.168.0.42 --- you'd tell PHP to connect to Postgres on 192.168.0.42, and Postgres would also see the PHP connections as coming in from 192.168.0.42. I think on most modern OSes you can set up this sort of thing entirely in software, not even needing a spare NIC card. I haven't done it that way though. > I had an idea that that wouldn't be so easy else we would have had it > by now. However, I am not sure that that is what is needed. I was > thinking of something like this: > host all joe@nobody 192.168.151.75/32 password > host all all 192.168.151.75/32 ident > The "all@nobody" field is meant to specify that the remote user is > nobody but that they are connecting as user joe. As John noted, we don't have any idea what the "remote username" is at the time we're scanning pg_hba.conf. regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
