I am running my postgres-9.2 on 6432 port and pgbouncer on 5432 port. Few of my colleagues client machines have the firewall connection permissions on 5432 port on server machine. But as a DB admin, I wanted to restrict some IP addresses from accessing the database.
But, though I block in the pg_hba.conf file, since the pgbouncer port is allowed, they are able to access.
I can block at the OS firewall level but I don't want to take the help of my system administrator. So, is there any way to restrict and deny IP addresses from accessing the pgbouncer as we generally do through pg_hba.conf for the postgresql.
Please suggest.
https://pgbouncer.github.io/2015/12/pgbouncer-1-7
Main changes from v1.6 are support for TLS connections, HBA control
file and authentication via unix peer uid.
So from 1.7 you have hba file, just like in vanil postgres. And thus filtering connections by IP is as easy.
Also you can use some tricks, dropping connections after they connected, as described in my other recent answer https://stackoverflow.com/a/46191949/5315974 but again - it is more a trick for urgently getting rid of connections. Using such tricks in while loop or as a job is generally a bad idea.
Related
I'm running a Superset instance via Docker on a MacBook Air (2019, v11.5.2, Intel i5). I'm trying to set up a remote connection to a PostgreSQL database via an AWS endpoint. I entered the credentials via the dynamic form, as such:
HOST: {dbalias}.{xyz}.us-east-1.rds.amazonaws.com
PORT: 5432
DATABASE: {dbname}
USERNAME: {username}
PASSWORD: {password}
I'm sure that my credentials are valid because I used them to connect from both Databox and DBeaver. But when I try to connect here, Superset tells me that port 5432 is closed. A little digging tells me that this is likely a firewall issue.
I know that our database is set up to only allow connections from allowed IPs, and of course my machine's IP is whitelisted, so I assume I need to whitelist the IP that is sending the connection request (i.e., Superset). However, I cannot seem to find that information. Indeed, even Superset's PostgreSQL connection instructions seem to be incomplete vis-a-vis connecting to an AWS endpoint.
Assuming I've diagnosed the problem correctly (which is by no means a guarantee), the key question is: Where can I find my Superset instance's IP to add to my PostgreSQL IP whitelist? Relatedly, would this IP change next time I launch Superset from Docker, or will it persist?
Many thanks for any consideration.
I was succesfull with connecting another computer with my local PostgreSQL Server(On Windows 10). I've
added two specific lines of arguments in the respectful config files.
postgresql.conf:
listen_addresses = '*'
pg_hba.conf:
host all all all md5
I understood, that this connection is now possible in my local Network, where I am currently connected to. Is this really the case, or do I have to look out for some connections outside my network to block them? (ssl = off, hope that without ssl it is only local)
For completness, i also added a firewall rule where I allowed TCP connections for a port [Port] and profiles in a domain, private and public network.
You can limit the IP range adding a mask like, I'm not sure about that 3rd "all":
host all all 192.168.0.1/24 md5
In any case, you can check the log and see if pg up and listen (pg_log or -l parameter)
I want to have a postgres database on a computer that I can use from multiple (external) computers. It will act as a trial server for me, leaving it on whenever I need it.
I researched how to do it and found out I had to forward the service postgres to the internet. Postgres is on port 5432. I logged in my router which has a forwarding option. I opened up the port 5432, but cant add postgres to the list of services.
Is there a reason for that?
Actually. I found that I just have to adapt the pg_hba.conf file (just started trying). I am running windows. Any advise is welcome, this is not my expertise. I dont understand why it would work if I just adapt the pg_hba.conf. For games or other services, like a game, I have to open a port in the router. Or should I do both?
From Postgres documentation - Client authentication is controlled by a configuration file, which traditionally is named pg_hba.conf and is stored in the database cluster's data directory. (HBA stands for host-based authentication.)
Each record specifies a connection type, a client IP address range (if relevant for the connection type), a database name, a user name, and the authentication method to be used for connections matching these parameters.
So it is absolutely required to set up your pg_hba.conf for it to allow access to other computers. You will also need to setup router and firewall settings for allowing incoming connections to port 5432.
Here is what you need to do
on postgres.conf change listen_address to:
listen_addresses = '*'
and on pg_hba add this to the end of the file
host all all 0.0.0.0/0 md5
And also make sure the port is forwarded to the machine running Postgres from your router
I have configured an RDS Postgres micro instance for testing but am having problem connecting. I have created a security group and allow all hosts (0.0.0.0/0) by default to port 5432 but for some reason I am not able to connect. I tried connecting to the port 5432 on the machine but it appears to be closed. Any ideas? I have verified that the security group is using the correct security group.
This is my configuration
TCP
Port (Service) Source Action
5432 0.0.0.0/0 Delete
Here is how I am trying to connect to the rds service
psql -p 5432 -h example.cs945smhrv09.us-west-2.rds.amazonaws.com -U example example
UPDATE
OK feel a little silly after figuring out that rds starts up on a private 172 subnet. I was able to connect from my ec2 instance.
Question now is there a way to put that on a public address that I can connect to? I would like to configure it with a security group that limits the source ip but then be able to connect to it with psql from my desktop.
Update 2
I don't remember all the details when I originally posted this question but it is no longer an issue. We now have a management vpc that we connect to using a vpn server. The management vpc network is trusted by the prod and devel security groups for the rds instances. We have no problem communicating with them without adding any public ips.
Step 4 of the RDS setup wizard ("Additional Config") lets you select whether the DB is Publicly Accessible or not (if it's not, access is limited to within your VPC, regardless of your security group settings). I'd imagine that determines whether the hostname resolves to 54.* vs 172.* .
Your first instance may have been set to private - as far as I can tell this can't be changed after initialization. I had a similar issue and creating a new instance set to be publicly accessible solved it for me.
My company's firewall had blocked outgoing traffic to the default postgres port, 5432. I didn't realise this until I tested the port using netcat in a terminal window, as follows:
nc -zv portquiz.net 5432
Hopefully this saves someone half a day of messing around with AWS security groups.
Absolutely there is. I have pgadmin loaded on my local machine connected to my RDS instance. |
I just confirmed that I can connect using the same syntax you used for psql, although the -U was not necessary for me (I still included both "example" parameters though)
I did edit the "default" security group and added my IP (Ip of the machine I'm connecting from)/32 to be allowed, although I'm sure you could get less restrictive than that, but I'd start there and see if it helps.
This is likely caused by your outbound firewall rules. If you're behind a corporate firewall, they will often block outbound ports above a certain number. You need to setup an SSH tunnel of some kind to avoid this.
http://conoroneill.net/accessing-amazon-rds-instances-from-your-desktop/
I had this problem. This isn't a direct solution but might work for some. I set the Postgres security group to accept connections coming from the server that will be using it (same VPC). I then set up my Postgres client to use ssh tunneling. If I need to use the command line, I simply SSH into that server and then psql from there.
You can simply use workbench recommended by aws but make sure your all postgres availibily is set to everywhere..while adding PostgrSQL 5432
https://aws.amazon.com/getting-started/tutorials/create-connect-postgresql-db/
I just recently install PostgreSQL on our server via SSH. The installation went successful, until the time I tried to connect to it using pgAdmin on my Windows machine.I received this kind of error:
could not connect to server: Connection refused (0x0000274D/10061) Is
the server running on host "xxx.xxx.xxx.xxx" and accepting TCP/IP
connections on port 5432?
xxx.xxx.xxx.xxx = my server's public IP.
The docs suggest this can be fixed by setting the value of listen_addresses = '*' in the /etc/postgresql/9.1/main/postgresql.conf. I did that but still it won't let me.
additional error came up
FATAL: no pg_hba.conf entry for host "xxx.xx.xxx.xxx", user
"postgres", database "postgres", SSL on FATAL: no pg_hba.conf entry
for host "xxx.xx.xxx.xxx", user "postgres", database "postgres", SSL
off
xxx.xx.xxx.xxx = my IP address.
What seems to be I'm missing?
Things that could block a postgres connection:
misconfigured listen_address in postgresql.conf
selinux (?)
iptables
pg_hba.conf (although this should cause a different error, not server doesn't listen)
Can you connect to the server locally, if you ssh in and run psql?
On our internal dev servers, I just turn off selinux and iptables. This is a bad idea from a security standpoint, but it might serve as a temporary step to help you narrow down where the problem is.
You might need to change more than one configuration file. In your case, you probably need to edit pg_hba.conf, too. Search that file for "non-local connections".
I like to keep configuration files under version control. It's easier to recover from mistakes that way.
You probably need to restart the PostgreSQL server after making those changes.
After changing listen_addresses settings on the server, make sure to restart the PostgreSQL server (send SIGHUP to the postmaster process, with kill -HUP, etc).
Make sure that postgresql.conf port is set to 5432
Make sure that if a firewall is running on the server, that port 5432 is open for connections coming from the window's (client) machine you are using
Check pg_hba.conf to make sure that the subnet of your client machine is given access
Try using psql locally