662 CHAPTER 29 SECURING POSTGRESQL (Web hosting india) Configuration Options
662 CHAPTER 29 SECURING POSTGRESQL Configuration Options Once your server has been built with SSL support, PostgreSQL can listen for SSL connections. To enable this, you must turn on SSL by setting the ssl option to true in the postgresql.conf file, and then restart your server. By default, the server leaves it to the client s discretion to decide whether to use an SSL connection, which may or may not be what you prefer. You can change this behavior in the pg_hba.conffile through one of the following host connection types: host: This is the default connection type. It allows both SSL and non-SSL connections, and leaves the connection method to the client. Since some clients may silently fall back on non-SSL connections, you may not want to use this connection type if you need to enforce SSL connections. hostssl: Connections specified with the hostssl connection type will be required to connect using SSL, and non-SSL connection attempts will be rejected even if all other credentials would allow a connection. If you plan to use SSL, this is most likely the connection type you would want. hostnossl: Requires that connections be made from a non-SSL-based client. Connections made over SSL will be rejected even if all other credentials would allow a connection. Frequently Asked Questions Because the SSL feature is not widely used, there is still some confusion surrounding its usage. This section attempts to offer some clarifications by answering some of the most commonly asked questions regarding this topic. I m using PostgreSQL solely as a back end to my Web application, and I am using HTTPS to encrypt traffic to and from the site. Do I need to encrypt the connection to the PostgreSQL server? This depends on whether the database server is located on the same machine as the Web server. If this is the case, then encryption will likely be beneficial only if you consider the machine itself insecure. If the database resides on a separate server, then the data could potentially be traveling unsecured from the Web server to the database server, and therefore it would warrant encryption. There is no steadfast rule regarding the use of encryption. You can reach a conclu sion only after a careful weighing of security and performance factors. I understand that encrypting Web pages using SSL will degrade performance. Does the same hold true for the encryption of PostgreSQL traffic? Yes, your application will take a performance hit, because every data packet must be encrypted while traveling to and from the PostgreSQL server. How much of a hit will depend on a number of variables, including CPU speed and bandwidth capacity. How do I know that the traffic is indeed encrypted? The easiest way to ensure that the PostgreSQL traffic is encrypted is to configure a user account that requires SSL connections, and then try to connect to the SSL-enabled PostgreSQL server by supplying that user s credentials and a valid SSL certificate. If something is awry, you will receive a FATAL error when you attempt to connect. What port does PostgreSQL use for SSL-based traffic? The port number remains the same regardless of whether you are communicating in encrypted or unencrypted fashion. By default, this port is port 5432.
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.