Обсуждение: authentication question
Hi, Not sure if this is a novice or a PHP question; so I sent it to both. Anyway, I can't seem to deny access to my database through the web server/PHP connection... In my pg_hba.conf, at the top, before getting to the real databases, I have: # temporary, cath testing access on example local temp all reject host temp all 127.0.0.1 255.255.255.255 reject host temp all 0.0.0.0 255.255.255.255 reject Command line psql won't let me connect to temp - so far so good. But when I use PHP's pg_connect with host, dbname, username, password specified, it lets me through. It does fail non-users or bad passwords - but all existing postgresql users seem to be able to make the connection regardless. What have I missed? Ultimately, I am trying to set this up so only specific known users can connect to my database from particular hosts. thanks for any help, regards Cath Cath Lawrence, Cath.Lawrence@anu.edu.au Senior Scientific Programmer, Centre for Bioinformation Science, John Curtin School of Medical Research (room 4088) Australian National University, Canberra ACT 0200 ph: (02) 61257959 mobile: 0421-902694 fax: (02) 61252595
Cath Lawrence wrote: > Hi, > > Not sure if this is a novice or a PHP question; so I sent it to both. > > Anyway, I can't seem to deny access to my database through the web > server/PHP connection... > > In my pg_hba.conf, at the top, before getting to the real databases, > I have: > # temporary, cath testing access on example > local temp all reject > host temp all 127.0.0.1 255.255.255.255 reject > host temp all 0.0.0.0 255.255.255.255 reject > > Command line psql won't let me connect to temp - so far so good. > But when I use PHP's pg_connect with host, dbname, username, password > specified, it lets me through. It does fail non-users or bad passwords > - but all existing postgresql users seem to be able to make the > connection regardless. > > What have I missed? Ultimately, I am trying to set this up so only > specific known users can connect to my database from particular hosts. Cath, I'm not sure if this will help you or not, but try adding this to the bottom (seen this as a common practice) # reject all connections from all hosts not granted above host all 0.0.0.0 0.0.0.0 reject -Robby -- Robby Russell, Sr. Administrator / Lead Programmer Command Prompt, Inc. rrussell@commandprompt.com http://www.commandprompt.com (503) 222.2783
On Thursday, August 7, 2003, at 01:12 PM, Robby Russell wrote: > Cath Lawrence wrote: > I'm not sure if this will help you or not, but try adding this to the > bottom (seen this as a common practice) > # reject all connections from all hosts not granted above > host all 0.0.0.0 0.0.0.0 reject D'oh! That does it. Thanks Robby. Blindly copy'n'paste-ing a line with the wrong netmask did NOT help! But while I'm here - how does PHP connect? If rejecting connections from the local machine and from 127.0.0.1 didn't do the trick, why not? (Or is that getting into network issues and I needed the host's IP address?) thanks again Cath Cath Lawrence, Cath.Lawrence@anu.edu.au Senior Scientific Programmer, Centre for Bioinformation Science, John Curtin School of Medical Research (room 4088) Australian National University, Canberra ACT 0200 ph: (02) 61257959 mobile: 0421-902694 fax: (02) 61252595
> But while I'm here - how does PHP connect? If rejecting connections > from the local machine and from 127.0.0.1 didn't do the trick, why not? > (Or is that getting into network issues and I needed the host's IP > address?) PHP is probably using a Unix domain socket (eg. /tmp/pgsql.1321 or something), and not using an actual TCP/IP connection. Chris
Cath Lawrence wrote: > On Thursday, August 7, 2003, at 01:12 PM, Robby Russell wrote: > >> Cath Lawrence wrote: >> I'm not sure if this will help you or not, but try adding this to the >> bottom (seen this as a common practice) >> # reject all connections from all hosts not granted above >> host all 0.0.0.0 0.0.0.0 reject > > > D'oh! That does it. Thanks Robby. > Blindly copy'n'paste-ing a line with the wrong netmask did NOT help! > > But while I'm here - how does PHP connect? If rejecting connections > from the local machine and from 127.0.0.1 didn't do the trick, why > not? (Or is that getting into network issues and I needed the host's > IP address?) Cath, It depends, is the php (on apache I assume) running on the same machine? If it is, than usually rejecting 127.0.0.1 will do the trick (given that the /etc/hosts file has an entry for localhost). If it's a remote connection, than you will need to look at all your configuration settings to try and determine this issue. Glad that other bit of info helped though. -- Robby Russell, | Sr. Administrator / Lead Programmer Command Prompt, Inc. | http://www.commandprompt.com rrussell@commandprompt.com | Telephone: (503) 222.2783
Robby Russell <rrussell@commandprompt.com> writes:
> I'm not sure if this will help you or not, but try adding this to the
> bottom (seen this as a common practice)
> # reject all connections from all hosts not granted above
> host all 0.0.0.0 0.0.0.0 reject
This is unnecessary --- if the postmaster falls off the end of the file
without a match, it defaults to "reject". Nothing wrong with having
such a line for documentation purposes, but it shouldn't change the
behavior one bit.
My guess about Cath's original problem is that the lines she showed us
only controlled attempted connections to the "temp" database ... not to
any other database. If she had more lines later in the file, those
would be consulted for any connection to a database not named "temp".
Another common mistake (been burnt this way more than once) is to forget
to SIGHUP the postmaster (eg, pg_ctl reload) after editing the config
file. You can get *really* confused if you are trying different things
and sometimes you remember to SIGHUP and sometimes you don't.
regards, tom lane