I was succesfull with connecting another computer with my local PostgreSQL Server(On Windows 10). I've
added two specific lines of arguments in the respectful config files.
postgresql.conf:
listen_addresses = '*'
pg_hba.conf:
host all all all md5
I understood, that this connection is now possible in my local Network, where I am currently connected to. Is this really the case, or do I have to look out for some connections outside my network to block them? (ssl = off, hope that without ssl it is only local)
For completness, i also added a firewall rule where I allowed TCP connections for a port [Port] and profiles in a domain, private and public network.
You can limit the IP range adding a mask like, I'm not sure about that 3rd "all":
host all all 192.168.0.1/24 md5
In any case, you can check the log and see if pg up and listen (pg_log or -l parameter)
Related
I have a postgres database called salephone_test with 3 tables (smartphones, listings, phone_listings) on my windows pc which I want to replicate to at least one ubuntu droplet on digitalocean. I attempted the following setup to replicate the smartphones table:
On my local machine (pc) in postgresql.conf I set the listen_addresses = '*' and wal_level = logical
in pg_hba.conf, I added the following lines
host salephone_test rep 0.0.0.0/0 md5
host salephone_test all 104.248.54.230/0 md5
host all all 0.0.0.0/0 md5
host all all 0.0.0.0/0 md5
where 104.248.54.230 is the IP of my digitalocean droplet
I also set up a replication user and publication by the following commands
CREATE ROLE rep REPLICATION LOGIN PASSWORD 'fakepass';
GRANT SELECT on smartphones to rep;
CREATE PUBLICATION test_phones FOR TABLE smartphones;
on my remote droplet, after installing postgres on the ubuntu, I created a database called salephone with a table called smartphones
in psql, I then used the following command to subscribe for logical replication
// 50.71.125.50 is my pc ip according to google
CREATE SUBSCRIPTION phone_sub CONNECTION 'dbname = salephone_test host = 50.71.125.50 user = rep password = fakepass port = 5432' PUBLICATION test_phones;
after a minute of waiting, I received the following
ERROR: could not connect to the publisher: connection to server at "50.71.125.50", port 5432 failed: Connection timed out
Is the server running on that host and accepting TCP/IP connections?
Note: i tried restarting postgres on my pc multiple times already via services.msc
Your home modem/router is surely blocking the connection. You will need to configure it to accept the connection and do 'port forwarding' to your pc. How you do that (or if it is even possible) would depend on the make and model of the router.
Also, your pg_hba doesn't make much sense. The reason to have a more specific entry above a more general entry is to give it a different auth method (or configuration). Since all your entries have the same method, you might as well just have the last line and not have the preceding 3.
I want to have a postgres database on a computer that I can use from multiple (external) computers. It will act as a trial server for me, leaving it on whenever I need it.
I researched how to do it and found out I had to forward the service postgres to the internet. Postgres is on port 5432. I logged in my router which has a forwarding option. I opened up the port 5432, but cant add postgres to the list of services.
Is there a reason for that?
Actually. I found that I just have to adapt the pg_hba.conf file (just started trying). I am running windows. Any advise is welcome, this is not my expertise. I dont understand why it would work if I just adapt the pg_hba.conf. For games or other services, like a game, I have to open a port in the router. Or should I do both?
From Postgres documentation - Client authentication is controlled by a configuration file, which traditionally is named pg_hba.conf and is stored in the database cluster's data directory. (HBA stands for host-based authentication.)
Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters.
So it is absolutely required to set up your pg_hba.conf for it to allow access to other computers. You will also need to setup router and firewall settings for allowing incoming connections to port 5432.
Here is what you need to do
on postgres.conf change listen_address to:
listen_addresses = '*'
and on pg_hba add this to the end of the file
host all all 0.0.0.0/0 md5
And also make sure the port is forwarded to the machine running Postgres from your router
In postgresql.conf I have:
listen_addresses = "*"
My pg_hba.conf looks like:
local all postgres md5
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
#host all all myIPADDRESS md5
If I uncomment the last line
pgadmin says it cannot access and to make sure whether the port is accessible. I have flushed the iptables to have no rules, so the firewall is not stopping it.
local access to the database from my scripts is not working
With the last line commented:
pgadmin says that no pg_hba.con entry for my IP address
I am able to access the database locally on the server from my scripts
What am I missing to make the configuration right?
Thanks.
Looking at this post. After adding to pg_hba.conf:
host all all ::/0 trust
host all all my.ipv4.IP/32 trust
It works now.
Not sure if order is important in pg_hba.conf but, I put mine at top and also tried with and without IP and both worked.
Had same problem with psql via command line connecting and pgAdmin not connecting on RDS with AWS. I did have my RDS set to Publicly Accessible. I made sure my ACL and security groups were wide open and still problem so, I did the following:
sudo find . -name *.conf
then sudo nano ./data/pg_hba.conf
then added to top of directives in pg_hba.conf file host all all 0.0.0.0/0 md5
and pgAdmin automatically logged me in.
This also worked in pg_hba.conf file
host all all md5 without any IP address and this also worked with my IP address host all all <myip>/32 md5
As a side note, my RDS was in my default VPC. I had an identical RDS instance in my non-default VPC with identical security group, ACL and security group settings to my default VPC and I could not get it to work. Not sure why but, that's for another day.
I don't understand the pg_hba.conf documentation. It seems to say that I could add this entry:
host all all md5
or this entry
host all all *.*.*.*/* md5
to allow access from anywhere.
But not only can I not connect to my local database using my VirtualBox guest IP of 10.0.2.15 with either of these lines, if I don't have
host all all 127.0.0.1/32 md5
then I can no longer connect even using 0.0.0.0 and 127.0.0.1
What line do I need to add to allow access from any IP (including inside Docker containers in my VirtualBox) using password authentication?
Here's my current, standard, hb_pga.conf file:
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
(All the below is based on the documentation for Postgres 9.5, but I'm not aware of any major changes for this syntax, so it should apply to anything vaguely recent.)
As far as I know, the line
host all all md5
isn't valid syntax. When using the host record type, the following formats are available
host database user address auth-method [auth-options]
host database user IP-address IP-mask auth-method [auth-options]
so a minimum of four additional arguments, whereas you've only provided three.
As per your comment, the line
host all all 0.0.0.0/0 md5
will work to allow connections from all IP address (based on subsequent password authentication). The /0 is a mask for which bits (literally the bits) of the IP address to validate against. /0 means you want to ignore the whole thing, i.e. allow all addresses. The mask 1.2.3.4/0 would mean exactly the same thing. It's not usually best practice to allow access from anywhere, but if you're dealing with non-public facing VMs or Docker containers then it's fine.
If you're using IPv6 connections, the syntax is very similar:
host all all ::/0 md5
For what it's worth, I've never come across the syntax
host all all *.*.*.*/* md5
I am running my postgres-9.2 on 6432 port and pgbouncer on 5432 port. Few of my colleagues client machines have the firewall connection permissions on 5432 port on server machine. But as a DB admin, I wanted to restrict some IP addresses from accessing the database.
But, though I block in the pg_hba.conf file, since the pgbouncer port is allowed, they are able to access.
I can block at the OS firewall level but I don't want to take the help of my system administrator. So, is there any way to restrict and deny IP addresses from accessing the pgbouncer as we generally do through pg_hba.conf for the postgresql.
Please suggest.
https://pgbouncer.github.io/2015/12/pgbouncer-1-7
Main changes from v1.6 are support for TLS connections, HBA control
file and authentication via unix peer uid.
So from 1.7 you have hba file, just like in vanil postgres. And thus filtering connections by IP is as easy.
Also you can use some tricks, dropping connections after they connected, as described in my other recent answer https://stackoverflow.com/a/46191949/5315974 but again - it is more a trick for urgently getting rid of connections. Using such tricks in while loop or as a job is generally a bad idea.