问题
I'm trying to block access to my PostgreSQL and allow access only to Localhost and my machine external IP, something like: "172.211.xx.xx". This IP is provided by my ISP (Internet Service Provider).
In postgresql.conf I set the following line:
listen_addresses = '179.211.xx.xx'
But I can't connect to the database from my machine. I get "Server don't listen". If I change to:
listen_addresses = '*'
everything works, but I can't do it. I need to enable access only to this IP. This is a security requirement of my project.
MY pg_hba.conf:
host all all 0.0.0.0/0 md5
回答1:
The parameter listen_addresses at postgresql.conf sort of controls which ip addresses the server will answer on, not which ones the server will permit connections to authenticate. In my eyes, it's alright to set the listen_addresses to * and constrain the rest in the pg_hba.conf. In other words: doing the fine tuning at the pg_hba.conf is just fine.
So ..
listen_addresses = '*'
.. and ..
host all all 179.211.198.0/24
.. should do. Which means that all users have access to all databases from this ip range. You can go further limiting access for specific users to certain databases:
host my_db my_user 179.211.198.0/24
回答2:
In addition to Jim Jones' answer, note that listen_addresses can also take a list of IP addresses and/or host names.
If you have several interfaces and/or several IP adresses, and don't want Postgres to listen on all of them (for example to only listen on a LAN interface, but not on the WAN interface), you can use something like this in postgresql.conf:
listen_addresses = 127.0.0.1,192.168.1.2,192.168.1.3,my_server.example.lan
Then, you still want to also configure pg_hba.conf and/or your firewall for control of the clients.
回答3:
Had the same, listen_addresses = '*' was working but a particular IP was rejected. My mistake was that IP to use should be NOT the IP of the remote server trying to connect to PostgreSQL and not a public IP of PostgreSQL server but the IP of a network interface (duh). For example, on a PostgreSQL server run ip a or ifconfig
ip a
....
inet XX.X.X.XXX ....
then in postgresql.conf use returned IP
listen_addresses = 'XX.X.X.XXX,localhost'
plus in pg_hba.conf IP of a remote server trying to connect to PostgreSQL. Let's say IP of a remote server trying to connect is YY.Y.YYY.Y
host my_db my_psql_user YY.Y.YYY.Y/32 md5
来源:https://stackoverflow.com/questions/49348689/postgres-cant-listen-to-a-specific-ip-address