'Re: How to confirm the pg_hba.conf service is correctly working'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postgresql-general
Subject:    Re: How to confirm the pg_hba.conf service is correctly working
From:       Vijaykumar Jain <vijaykumarjain.github () gmail ! com>
Date:       2021-12-23 13:44:11
Message-ID: CAM+6J968tmDQvq8eyL8bfS63Lo_sJeTcrgBWhuJFnM0uUq8AEA () mail ! gmail ! com
[Download RAW message or body]

On Thu, 23 Dec 2021 at 15:45, shing dong <s7eqs7eq@gmail.com> wrote:

> I  have tested this feature  ,  only had
>>
>
> host   VJ   VJ_USER   10.10.10.1/32 md5
>
> in the pg_hba.conf file
>


I may be a bit off , but can you try a couple of things, other than a fresh
install, incase you have time to debug more.

is it possible to snapshot the vm, and and set it up in a controlled
environment where you can play around with incoming connections at the
network layer
beyond the vm.
With that, is it possible for you to use gdb and debug a connection to the
postmaster.
you can setup using below,
Getting a stack trace of a running PostgreSQL backend on Linux/BSD -
PostgreSQL wiki
<https://wiki.postgresql.org/wiki/Getting_a_stack_trace_of_a_running_Postgr=
eSQL_backend_on_Linux/BSD>

and then you can put a breakpoint at this function and check the input
lines it gets for parsing.
https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e6=
267523b/src/backend/libpq/hba.c#L779

postgres/hba.c at 6ab42ae36713b1e6f961c37e22f99d3e6267523b =C2=B7
postgres/postgres (github.com)
<https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e=
6267523b/src/backend/libpq/hba.c#L1438>

but maybe this helps identify why other ips are being allowed.
to be more paranoid, you can all reject from the ip you are trying to make
a connection, and trace that specific rule.

this might be an overkill and maybe a waste of effort given you already can
query the hba view, but incase you want to try out.

[Attachment #3 (text/html)]

<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, 23 Dec 2021 at 15:45, shing dong &lt;<a \
href="mailto:s7eqs7eq@gmail.com">s7eqs7eq@gmail.com</a>&gt; \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span \
style="font-family:&quot;microsoft jhenghei&quot;,sans-serif">I   have tested this \
feature   ,   only had</span><br></blockquote><font face="microsoft jhenghei, \
sans-serif"><br>host    VJ    VJ_USER    <a href="http://10.10.10.1/32" \
target="_blank">10.10.10.1/32</a> md5 <br><br>in the pg_hba.conf file    \
</font></div></blockquote><div><br></div><div><br></div><div>I may be a bit off , but \
can you try a couple of things, other than a fresh install, incase you have time to \
debug more.</div><div>  </div><div>is it possible to snapshot the vm, and and set it \
up in a controlled environment where you can play around with incoming connections at \
the network layer  </div><div>beyond the vm.</div><div>With that, is it possible for \
you to use gdb and debug a connection to the postmaster.</div><div>you can setup \
using below,</div><div><a \
href="https://wiki.postgresql.org/wiki/Getting_a_stack_trace_of_a_running_PostgreSQL_backend_on_Linux/BSD">Getting \
a stack trace of a running PostgreSQL backend on Linux/BSD - PostgreSQL \
wiki</a><br></div><div><br></div><div>and then you can put a breakpoint at this \
function and check the input lines it gets for parsing.<br></div><div><a \
href="https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e626752 \
3b/src/backend/libpq/hba.c#L779">https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e6267523b/src/backend/libpq/hba.c#L779</a> \
</div><div><a href="https://github.com/postgres/postgres/blob/6ab42ae36713b1e6f961c37e22f99d3e6267523b/src/backend/libpq/hba.c#L1438">postgres/hba.c \
at 6ab42ae36713b1e6f961c37e22f99d3e6267523b  · postgres/postgres \
(github.com)</a><br></div><div><br></div><div>but maybe this helps identify why other \
ips are being allowed.<br></div><div>to be more paranoid, you can all reject from the \
ip you are trying to make a connection, and trace that specific \
rule.</div><div><br></div><div>this might be an overkill and maybe a waste of effort \
given you already can query the hba view, but incase you want to try \
out.</div><div><br></div><div>  \
</div><div><br></div></div></div></div></div></div></div></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic