Postgresql – pg_hba.conf entry query

access-controlauthenticationpg-hba.confpostgresql

I'm trying to formulate a rule from pg_hba.conf file. Thus far I have understood that pg_hba.conf file is used to give access to the specific user for a specific host. But I just want to take a second opinion hence this question.

Given that I defined a set of entry in pg_hba.conf:

# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

host    all            all             111.121.10.32/32         md5

Then does Postgres guarantee the only way anyone can connect to Postgres is either using localhost or from 111.121.10.32 and not other IP will be able to access the Postgres server.

Is my understanding correct?

Best Answer

Your understanding is correct. For every connection attempt, each line in pg_hba.conf is checked in turn. The first matching line applies and the connection then either passes with this or fails trying. Much like a firewall. The manual:

The first record with a matching connection type, client address, requested database, and user name is used to perform authentication. There is no “fall-through” or “backup”: if one record is chosen and the authentication fails, subsequent records are not considered. If no record matches, access is denied.

Bold emphasis mine.

Related Solutions

Postgresql – Howto disable Postgres listening on TCP

Maybe it is not the finest Solution / Answer to my question, but at least it will point anybody (facing the said challenge I had in my original question)

To disable listening on TCP/IP network I used this command line option when starting the server application:

postgres [other arguments] -c listen_addresses=''

Addition: The remaining open udp 127.0.0.1:38860 connection is supposedly linked to the purpose of the the statistics collector subprocess as suggested on postgresql.org

Postgresql – Connect to PgAdmin III via localhost

The basic misunderstanding: "localhost" is not a local connection. Your "trust" line in pg_hba.conf is not applicable for your connection:

local   all   all   trust

That only applies for connections via Unix-domain socket. Best choice for you is to connect via this route. Per pgAdmin documentation:

The host is the IP address of the machine to contact, or the fully qualified domain name. On Unix based systems, the address field may be left blank to use the default PostgreSQL Unix Domain Socket on the local machine, or be set to an alternate path containing a PostgreSQL socket. If a path is entered, it must begin with a “/”. The port number may also be specified.

Bold emphasis mine.

More about connecting without password in this related answer on SO:
Run batch file with psql command without password

Best Answer

Related Solutions

Postgresql – Howto disable Postgres listening on TCP

Postgresql – Connect to PgAdmin III via localhost

Related Question