Wells Oliver <wellsoliver@gmail.com> writes:
> It seems like the following is redundant:
> host all all 0.0.0.0/0 md5
> hostnossl replication replicationuser 0.0.0.0/0 md5
> The first one allows either SSL or non SSL to all users for all DBs from
> any address via MD5. Good for everything, no? Yet if I remove the second
> line, I see a bunch of:
> FATAL: no pg_hba.conf entry for replication connection from host 10....,
> user "replicationuser", SSL off
> Why is this? What am I missing?
I believe replication intentionally requires a special entry, ie is
deliberately not included in "all". The theory is that such a
connection gives access to absolutely everything in the database
cluster, which is more access than any regular connection has, so we
don't want to let one be made unintentionally.
regards, tom lane