I have a sensitive application with app server and db on separate machines, and in the case of the slave db, in separate data-centers.
Although I believe my postgresqls are configured to always use ssl I need a way to double-check this.
Is there some simple way to check that all client connections are indeed being forced to use ssl?
Best Answer
Non-SSL connections can be disabled through
pg_hba.conf
.For instance, it may start like this:
The rules are tested in order and until the first match, so any rule after these will have no effect when one of these matches.
At runtime, to check which sessions are encrypted, there's the
pg_stat_ssl
system view (since PostgreSQL 9.5). Itspid
column is a reference topg_stat_activity
that holds the other bits of information that might be relevant to identifying the connection such asusename
,datname
,client_addr
..., so you might use this query, for instance: