Makes sense. Is this something that should be implemented in postgresql, or via pg_createcluster?
Am 19. Juli 2016 16:00:05 MESZ, schrieb Magnus Hagander <mag...@hagander.net>: >On Sun, Jul 17, 2016 at 10:07 PM, Christoph Berg <m...@debian.org> >wrote: > >> Re: Peter Eisentraut 2016-07-17 < >> d6b22200-0e65-d17e-b227-b63d81720...@2ndquadrant.com> >> > On 7/15/16 3:07 PM, Andrew Dunstan wrote: >> > > Do those packagers who install dummy certificates and turn SSL on >also >> > > change their pg_hba.conf.sample files to use hostssl?. That could >go a >> > > long way towards encouraging people. >> > >> > Debian, which I guess sort of started this, does not, but there are >> > allusions to it in the TODO list. >> >> I guess we should actually do that if we had any non-local(host) >> entries in there by default, but we don't touch the default >> pg_hba.conf from pg_createcluster. >> > >What could actually be useful there is to explicitly put hostnossl on >the >localhost entries. With the current defaults on the clients, that >wouldn't >break anything, and it would leave people without the performance >issues >that you run into in the default deployments. And for localhost it >really >does't make sense to encrypt -- for the local LAN segment that can be >argued, but for localhost... > > >-- > Magnus Hagander > Me: http://www.hagander.net/ > Work: http://www.redpill-linpro.com/
