On Mon, 20 Nov 2006, Russell Smith wrote:
Tom Allison wrote:
Russell Smith wrote:
Tom Allison wrote:
Ran into a mystery that I can't seem to figure out....
I want to authenticate using SSL for all external IP addresses that I
have in my subnet. I also want to be able to authenticate via non-SSL
for localhost (not unix socket).
I thought something like this would work:
host all all 127.0.0.1/32 md5
hostssl all all 192.168.0.1/24 md5
But I have a localhost client that can't log in because it keeps trying
to authenticate via SSL.
What am I doing wrong? It seems simple enough.
What command are you typing?
#nonssl
postgres$ psql -h localhost postgres
#ssl
postgres$ psql -h 192.168.1.1 postgres
psql -h localhost
My "other" client is actually postfix and that's also specified as
'localhost'.
I suppose you are going to tell me that there is a difference here?
I've always assumed you had to use network IP ranges, not DNS like names
(albeit localhost is a special case).
All good, it makes no difference.
try
hostnossl all all 127.0.0.1/32 md5
that should force non ssl for localhost connections, as long as there are no
entries before this one for localhost.
Hope that helps.
That is not necessarily true. Some OSes are now defaulting "localhost" to
::1, e.g. the IPv6 variant. Be certain that if you are in one of those
situations that you include the IPv6 address in you configuration, or take
whatever measures are necessary to insure consistency.
- Marc
