On Thu, April 25, 2013 01:48, Joseph wrote: > On 04/24/13 22:27, J. Roeleveld wrote: > [snip] >>> >>>Thank you for explanation. >>> >>>That is what I'm confused about. When I connect to "pstgresql" >>>database from the same machine as postgres is running on I can >>>understand. >>>It is a local connection from localhost (127.0.0.1) so everybody is >>>allowed but I don't understand why users on the local network can >>>connect to my machine and login >>>using apache when their IP is different. >>> >>>-- >>>Joseph >> >>Joseph. >> >>The connection to the database is done by apache. Apache connects from >> the server where Apache is running. >> >>Postgresql does not know nor even care where the connection to apache >> originates from. It only sees apache connecting to it. >> >>If you want to prevent people from accessing the website. You will need >> to configure the restriction in Apache or in a firewall. >> >>A webbrowser will NOT connect directly to the database. With a lot of >> larger applications this will not even be possible because the database >> is on a seperate server where the firewall is only allowing the webserver >> to access the database. >> >>Restricting access to a website by setting restrictions on the database >> server uswd by the website is pointless. >> >>-- >>Joost Roeleveld > > Thank you, now this is clear, so that pg_hba.conf has a limited use.
It has use for connections made TO the database by whichever application needs the connection. Firefox is NOT such an application. > So simple statement in apache directory: Allow from localhost > will fix the issue. Please check the apache documentation, I believe you also need to add a deny-rule. > When it comes to database. How can I limit certain users from certain IP > to only one database. Will those users connect DIRECTLY to the database server? > I don't thing this is possible via apache! > > The line: "local all all trust" > will give access to everybody. > > How those line in pg_hba.conf should look if I want user from remote > computer to access only one database? > Is it: > local my_database all trust > local others_database all ident alex > > Does "ident" refers to user who is allow to login into database? Yes, provided the OS can identify the username. Apache will likely connect using "apache". > How to list users for a particular database? Try using passwords instead of allowing everyone full access to all databases. -- Joost
