如何为多个ip地址配置postgresql postgresql.conf listen_addresses
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9764126/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to configure postgresql postgresql.conf listen_addresses for multiple ip addresses
提问by chrismarx
I can connect just fine to a remote postgresql server that has connection restrictions to a few IPs in the pg_hba.conf, but is this enough if you have listen_addressesset to "*"in the postgresql.conffile?
我可以很好地连接到远程 postgresql 服务器,该服务器对pg_hba.conf 中的几个 IP 具有连接限制,但是如果您在postgresql.conf文件中listen_addresses设置为"*",这就足够了吗?
That files indicates that that parameter can take a comma separated list of ip addresses, but if i do that, I lose the ability to connect remotely.
该文件表明该参数可以采用逗号分隔的 IP 地址列表,但如果我这样做,我将失去远程连接的能力。
postgresql-8.4.9 rhel
postgresql-8.4.9 rhel
回答by dbenhur
listen_addressescontrols which IPs the server will answer on, not which IPs the server will permit connections to authenticate from. It's entirely reasonable and normal to use listen_addresses '*'so the server will accept incoming connections on any ip assigned to an interface on the postgresql server host, while using pg_hba.confto control access at a finer grained level for which IPs the server will accept logins from for specific databases and users.
listen_addresses控制服务器将应答的 IP,而不是服务器将允许连接进行身份验证的 IP。使用它是完全合理和正常的,listen_addresses '*'因此服务器将接受分配给 postgresql 服务器主机上的接口的任何 ip 上的传入连接,同时使用pg_hba.conf以更细粒度的级别控制访问,服务器将接受来自哪些 IP 的登录特定的数据库和用户。
回答by araqnid
Setting listen_addresses to '*' is normal, as dbenhur points out. Also you can use tools such as iptables to deny access to the port apart from certain remote IPs. You can even do both: redundancy in security is not necessarily a bad thing (although, relying on IP address security isn't so good).
正如 dbenhur 指出的那样,将 listen_addresses 设置为 '*' 是正常的。除了某些远程 IP,您还可以使用诸如 iptables 之类的工具来拒绝对端口的访问。您甚至可以两者兼而有之:安全冗余不一定是坏事(尽管依赖 IP 地址安全并不是那么好)。
