I don't understand the pg_hba.conf documentation. It seems to say that I could add this entry:
host all all md5
or this entry
host all all *.*.*.*/* md5
to allow access from anywhere.
But not only can I not connect to my local database using my VirtualBox guest IP of 10.0.2.15 with either of these lines, if I don't have
host all all 127.0.0.1/32 md5
then I can no longer connect even using 0.0.0.0 and 127.0.0.1
What line do I need to add to allow access from any IP (including inside Docker containers in my VirtualBox) using password authentication?
Here's my current, standard, hb_pga.conf file:
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
(All the below is based on the documentation for Postgres 9.5, but I'm not aware of any major changes for this syntax, so it should apply to anything vaguely recent.)
As far as I know, the line
host all all md5
isn't valid syntax. When using the host record type, the following formats are available
host database user address auth-method [auth-options]
host database user IP-address IP-mask auth-method [auth-options]
so a minimum of four additional arguments, whereas you've only provided three.
As per your comment, the line
host all all 0.0.0.0/0 md5
will work to allow connections from all IP address (based on subsequent password authentication). The /0 is a mask for which bits (literally the bits) of the IP address to validate against. /0 means you want to ignore the whole thing, i.e. allow all addresses. The mask 1.2.3.4/0 would mean exactly the same thing. It's not usually best practice to allow access from anywhere, but if you're dealing with non-public facing VMs or Docker containers then it's fine.
If you're using IPv6 connections, the syntax is very similar:
host all all ::/0 md5
For what it's worth, I've never come across the syntax
host all all *.*.*.*/* md5
Related
I was succesfull with connecting another computer with my local PostgreSQL Server(On Windows 10). I've
added two specific lines of arguments in the respectful config files.
postgresql.conf:
listen_addresses = '*'
pg_hba.conf:
host all all all md5
I understood, that this connection is now possible in my local Network, where I am currently connected to. Is this really the case, or do I have to look out for some connections outside my network to block them? (ssl = off, hope that without ssl it is only local)
For completness, i also added a firewall rule where I allowed TCP connections for a port [Port] and profiles in a domain, private and public network.
You can limit the IP range adding a mask like, I'm not sure about that 3rd "all":
host all all 192.168.0.1/24 md5
In any case, you can check the log and see if pg up and listen (pg_log or -l parameter)
I'm currently really struggling with a postgres 9.1 database which i need for testing my software. I did not create this database but i used to log in before with postgres as a user and password. However, right now it is impossible for me to create a connection even with pgadmin3 from the same machine the database is running on. I tried a million combinations in pg-hba.conf like:
host all all 192.168.10.178/32 trust
or
host all all 0.0.0.0/0 trust
or
host example postgres 192.168.10.178/32 trust
or
host all all ::1/128 md5
Ip4 adress of server is 192.168.10.178, subnet mask is 255.255.245.0. The machine is running windows server 2008 and i'm logged in with admin rights (if that matters). In postgresql.conf the following lines are set:
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost', '*' = all
# (change requires restart)
port = 5432 # (change requires restart)
I'm not familiar at all with postgres and what i read until now about pg_hba.conf did not get me any further. I would have expected that at least with the second setting from above it would let me log in without password not caring about user or host ip. But somehow pgadmin 3 still asks for a password for user 'postgres' and if i use 'postgres' it just tells me:
password-authentication for user 'postgres' failed
Please, can anyone tell me what the hell i'm supposed to do?
This is what my settings look like:
# TYPE DATABASE USER ADDRESS METHOD
# IPv4 local connections:
host all all nnn.nn.nnn.nnn/32 trust
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
(Obviously the n's are numbers I've hidden from my actual IP address.)
As #VaoTsun said, make sure the lines are in the order you wish them applied, because the first one that matches will be what is used. So if for example you have samenet set to md5, then next line you have samehost set to trust, you will get md5 because samenet is valid for your connection.
However I strongly suspect the issue is that the IPv6 connection entry is either commented out, or set to md5 (or both). I don't know exactly why, but I know on a lot of our 2008 servers, it will use the IPv6 setting rather than the IPv4. Maybe it depends if IPv6 is enabled on the machine. Set that entry as per my settings above, and I bet that will do it.
Also, unless you've configured PGAdmin to save your password, it will still ask you for a password even if trust is properly set. Just hit enter without typing in a password, and it should allow you in. (Assuming your settings have been set correctly.)
In postgresql.conf I have:
listen_addresses = "*"
My pg_hba.conf looks like:
local all postgres md5
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
#host all all myIPADDRESS md5
If I uncomment the last line
pgadmin says it cannot access and to make sure whether the port is accessible. I have flushed the iptables to have no rules, so the firewall is not stopping it.
local access to the database from my scripts is not working
With the last line commented:
pgadmin says that no pg_hba.con entry for my IP address
I am able to access the database locally on the server from my scripts
What am I missing to make the configuration right?
Thanks.
Looking at this post. After adding to pg_hba.conf:
host all all ::/0 trust
host all all my.ipv4.IP/32 trust
It works now.
Not sure if order is important in pg_hba.conf but, I put mine at top and also tried with and without IP and both worked.
Had same problem with psql via command line connecting and pgAdmin not connecting on RDS with AWS. I did have my RDS set to Publicly Accessible. I made sure my ACL and security groups were wide open and still problem so, I did the following:
sudo find . -name *.conf
then sudo nano ./data/pg_hba.conf
then added to top of directives in pg_hba.conf file host all all 0.0.0.0/0 md5
and pgAdmin automatically logged me in.
This also worked in pg_hba.conf file
host all all md5 without any IP address and this also worked with my IP address host all all <myip>/32 md5
As a side note, my RDS was in my default VPC. I had an identical RDS instance in my non-default VPC with identical security group, ACL and security group settings to my default VPC and I could not get it to work. Not sure why but, that's for another day.
So I been developing a web application which connected to a postgresql server on another machine. Everything works fine.
Then I deployed the web application to the the same machine running the postgresql server and got an error message:
FATAL: 28000: no pg_hba.conf entry for host "fe80::ccee:154f:18f5:418f%11", user "myuser", database "mydb", SSL off
My pg_hba-conf already has this line:
# IPv6 local connections:
host all all ::1/128 md5
Thats supposed to be the loopback address for ipv6 right?
I can fix it by adding this line(pure guessing):
#host all all fe80::/16 md5
I suspect this works by letting everyone connect?
So question is why would it use ipv6 instead of ipv4?
And why does the loopback not work?
When you connect using a hostname, one of the first things that happens is that libpq (the postgresql client library) will attempt to resolve the hostname. In most cases this will mean looking it up via DNS. Whatever address comes back will then be used for the connection.
I am guessing that in your case the address that the hostname resolves to is an IPv6 address. Your experiments with ping would seem to back up that assumption.
So, despite being on the same machine, it is connecting via the IPv6 address of the host. As far as the server is concerned, it sees the connection coming in from the IPv6 address of the host. This address is not ::1/128 (localhost) so it does not match that entry in pg_hba.conf.
One way to resolve this would be to change the connection string of your appication to localhost (or ::1/128, or even 127.0.0.1). That would cause the loopback entries in the pg_hba.conf to be selected.
If you were using a platform that supports UNIX domain sockets, and as you are connecting to the server on the same host, you would be better off to remove the host parameter from the connection string altogether. In that case libpq would use local UNIX domain sockets to connect to the server, which would be more efficient than connecting locally via an IP address anyway. However since you are using .NET that solution probably does not apply.
I've been trying to edit pg_hba.conf file in order to be able to access the server using just the IP address with, so far, no success.
For example, I can access using «localhost», but I want to access using the IP address that my router gave me which is something like 192.168.1.X
This is mi pg_hba.conf:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres trust
#host replication postgres 127.0.0.1/32 trust
#host replication postgres ::1/128 trust
host all all 0.0.0.0/0 trust
Any help?
First, edit the postgresql.conf file, and set listen_addresses. The default value of 'localhost' will only listen on the loopback adaptor. You can change it to '*', meaning listen on all addresses, or specifically list the IP address of the interfaces you want it to accept connections from. Note that this is the IP address which the interface has allocated to it, which you can see using ifconfig or ip addr commands.
You must restart postgresql for the changes to listen_addresses to take effect.
Next, in pg_hba.conf, you will need an entry like this:
# TYPE DATABASE USER ADDRESS METHOD
host {dbname} {user} 192.168.1.0/24 md5
{dbname} is the database name you are allowing access to. You can put "all" for all databases.
{user} is the user who is allowed to connect. Note that this is the postgresql user, not necessarily the unix user.
The ADDRESS part is the network address and mask that you want to allow. The mask I specified will work for 192.168.1.x as you requested.
The METHOD part is the authentication method to use. There are a number of options there. md5 means it will use an md5 hashed password. 'trust' which you had in your sample means no authentication at all - this is definitely not recommended.
Changes to pg_hba.conf will take effect after reloading the server. You can to this using pg_ctl reload (or via the init scripts, depending on your OS distro).