w3resource

Comprehensive Guide to pg_hba.conf Host Configuration

Configuring pg_hba.conf Entry for Host Connections

The pg_hba.conf file in PostgreSQL controls client authentication by defining who can connect, from where, and using which authentication method. Configuring a proper pg_hba.conf entry for a host is essential for allowing secure and specific connections to your PostgreSQL database.


Syntax:

Each line in pg_hba.conf follows this syntax:

type  database  user  address  auth-method  [auth-options]

Parameters:

    1. type: The type of connection (host for TCP/IP connections).

    2. database: The target database(s). Use all for all databases.

    3. user: The user(s) allowed to connect. Use all for all users.

    4. address: Client IP address or range (e.g., 192.168.1.0/24).

    5. auth-method: The authentication method (e.g., md5, scram-sha-256, trust).

    6. auth-options (optional): Additional options like passwords or certificates.

Examples

1. Allow Connections from a Specific Host

Code:

host  mydatabase  myuser  192.168.1.100/32  md5

Explanation:

  • host: Specifies a TCP/IP connection.
  • mydatabase: Restricts the connection to mydatabase.
  • myuser: Only the user myuser can connect.
  • 192.168.1.100/32: Allows only the host with IP 192.168.1.100.
  • md5: Requires the user to provide a password hashed using MD5.

2. Allow All Connections from a Subnet

Code:

host  all  all  10.10.0.0/16  scram-sha-256

Explanation:

  • host: Allows TCP/IP connections.
  • all: Applies to all databases and users.
  • 10.10.0.0/16: Allows connections from any host in the subnet 10.10.0.0/16.
  • scram-sha-256: Ensures secure password hashing.

3. Trust Connections from Localhost

Code:

host  all  all  127.0.0.1/32  trust

Explanation:

  • host: Specifies TCP/IP connection.
  • 127.0.0.1/32: Restricts to localhost.
  • trust: No password is required. (Use only in development environments!)

Editing the pg_hba.conf File

    1. Locate the File: The pg_hba.conf file is typically located in the data directory of your PostgreSQL installation.

     
/var/lib/postgresql//main/pg_hba.conf

    2. Edit the File: Use a text editor to add or modify entries.

    sudo nano /var/lib/postgresql/14/main/pg_hba.conf

    3. Reload PostgreSQL: After making changes, reload the configuration for the changes to take effect.

     
sudo systemctl reload postgresql

    Advanced Usage

    Using CIDR Notation

    CIDR (Classless Inter-Domain Routing) allows specifying a range of IPs.

     
host  all  all  192.168.0.0/24  md5

    This entry permits all hosts in the 192.168.0.0 subnet to connect.

    Combining SSL with Host Authentication

    For secure connections, use the hostssl type.

     
hostssl  mydb  myuser  192.168.1.0/24  cert

    Common Errors and Troubleshooting

      1. Connection Refused: Ensure the client IP matches the address parameter in the entry.

      2. Authentication Failed: Verify the auth-method and user credentials.

      3. File Order Matters: PostgreSQL checks pg_hba.conf entries in order. Ensure specific rules appear before general ones.

      Precautions

      • Always test new pg_hba.conf entries in a staging environment.
      • Avoid using trust authentication in production to prevent unauthorized access.
      • Combine restrictive IP ranges with secure authentication methods (e.g., scram-sha-256).

      All PostgreSQL Questions, Answers, and Code Snippets Collection.



Become a Patron!

Follow us on Facebook and Twitter for latest update.

It will be nice if you may share this link in any developer community or anywhere else, from where other developers may find this content. Thanks.

https://w3resource.com/PostgreSQL/snippets/pg-hba-conf-host.php