CentOS 7
Sponsored Link

PostgreSQL 9.6 : SSL/TLS Setting
2017/10/31
 
Enable SSL/TLS connection to PostgreSQL.
[1]
Create certificates, refer to here.
[2] Copy certificates created above and configure PostgreSQL.
[root@www ~]#
cp /etc/pki/tls/certs/server.key \
/etc/pki/tls/certs/server.crt \
/etc/pki/tls/certs/ca-bundle.crt \
/var/opt/rh/rh-postgresql96/lib/pgsql/data/

[root@www ~]#
chown postgres. /var/opt/rh/rh-postgresql96/lib/pgsql/data/*.{crt,key}

[root@www ~]#
vi /var/opt/rh/rh-postgresql96/lib/pgsql/data/postgresql.conf
# line 79: uncomment and change

ssl =
on
# line 84: uncomment and change

ssl_cert_file = '
server.crt
'
ssl_key_file = '
server.key
'
ssl_ca_file = '
ca-bundle.crt
'
[root@www ~]#
vi /var/opt/rh/rh-postgresql96/lib/pgsql/data/pg_hba.conf
# line 80: change like follows

# all users except localhost with peer are required SSL/TLS

# "local" is for Unix domain socket connections only
local   all             all                                     peer
# IPv4 local connections:
#host    all             all             127.0.0.1/32            ident
hostssl all             all             127.0.0.1/32            md5
hostssl all             all             10.0.0.0/24             md5
hostssl all             all             ::1/128                 md5
[root@www ~]#
systemctl restart rh-postgresql96-postgresql

[root@www ~]#
su - postgres

-bash-4.2$
psql -l 

                                  List of databases
   Name    |  Owner   | Encoding |   Collate   |    Ctype    |   Access privileges
-----------+----------+----------+-------------+-------------+-----------------------
 postgres  | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
 template0 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres    +
           |          |          |             |             | postgres=CTc/postgres
 template1 | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =c/postgres    +
           |          |          |             |             | postgres=CTc/postgres
 testdb    | cent     | UTF8     | en_US.UTF-8 | en_US.UTF-8 |
(4 rows)
# verify

# no SSL/TLS connection from localhost with peer

[cent@www ~]$
psql testdb 

psql (9.6.5)
Type "help" for help.

testdb=>
# for other connections, connection is on SSL/TLS

[cent@www ~]$
psql "user=cent host=localhost dbname=testdb"

Password:
psql (9.6.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

testdb=>
# from other hosts, connection is on SSL/TLS

[cent@node01 ~]$
psql "host=www.srv.world dbname=testdb"

Password:
psql (9.6.5)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.

testdb=>
 
Tweet