On Tue, Jul 19, 2016 at 8:53 PM, Christoph Berg <c...@df7cb.de> wrote:
> Makes sense. Is this something that should be implemented in postgresql, > or via pg_createcluster? > > Personally I'd like to see pg_createcluster et al mimic upstream as close as possible, so I'd advocate these changes being made upstream in PostgreSQL iteslf. //Magnus > > Am 19. Juli 2016 16:00:05 MESZ, schrieb Magnus Hagander < > mag...@hagander.net>: >> >> >> >> On Sun, Jul 17, 2016 at 10:07 PM, Christoph Berg <m...@debian.org> wrote: >> >>> Re: Peter Eisentraut 2016-07-17 < >>> d6b22200-0e65-d17e-b227-b63d81720...@2ndquadrant.com> >>> > On 7/15/16 3:07 PM, Andrew Dunstan wrote: >>> > > Do those packagers who install dummy certificates and turn SSL on >>> also >>> > > change their pg_hba.conf.sample files to use hostssl?. That could go >>> a >>> > > long way towards encouraging people. >>> > >>> > Debian, which I guess sort of started this, does not, but there are >>> > allusions to it in the TODO list. >>> >>> I guess we should actually do that if we had any non-local(host) >>> entries in there by default, but we don't touch the default >>> pg_hba.conf from pg_createcluster. >>> >> >> What could actually be useful there is to explicitly put hostnossl on the >> localhost entries. With the current defaults on the clients, that wouldn't >> break anything, and it would leave people without the performance issues >> that you run into in the default deployments. And for localhost it really >> does't make sense to encrypt -- for the local LAN segment that can be >> argued, but for localhost... >> >> >> -- >> Magnus Hagander >> Me: http://www.hagander.net/ >> Work: http://www.redpill-linpro.com/ >> > -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
