On Thu, Oct 27, 2016 at 11:18 AM, Francisco Olarte <folarte@xxxxxxxxxxxxxx> wrote: > Merlin: > > On Thu, Oct 27, 2016 at 6:10 PM, Merlin Moncure <mmoncure@xxxxxxxxx> wrote: >> On Thu, Oct 27, 2016 at 10:01 AM, Francisco Olarte >> <folarte@xxxxxxxxxxxxxx> wrote: >>> And I'd like to point libpq sessions does not sound to be the best >>> kind of traffic across a firewall, not a good service / protocol to >>> expose. > >> meh -- it's perfectly fine to expose postgres to the internet as long >> as you've handled the security concerns. > > It is, but handling them is not easy, and you have to deal with things > like DoS which are not trivial on the server ( as it is a heavy > service ). It can be done, and sometimes needs to be done, but is not > a thing to take over lightly. > >> This could be over ssh tunnel for example. > > In which case it is NOT exposed to the internet. What are you trying to say? what? ssh can most certainly convey over the internet. I said ssh *tunnel*; not ssh. With tunneling the ssh endpoint is the client application. When I built a libpq based intenet facing application we used a modified pgbouncer to whitelist the parameterized query strings and to force the auth. We had zero issues. merlin -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
