Because PostgreSQL is a flexible and powerful database server, many parameters can be configured and modified to achieve a maximum amount of performance and to make PostgreSQL behave the way you want it to. In general, two files are important for configuring your database. pg_hba.conf contains the network settings and postgresql.conf contains almost all other parameters. In this section you will find out how PostgreSQL can be configured and what settings you can make to achieve your target. 10.3.1 Runtime ParametersPostgreSQL's runtime parameters can be found in postgresql.conf, which is located in your database cluster. The syntax of the file is easy and you will learn about the most important entries in this section. The entries will be discussed in the same order they occur in the default configuration file of PostgreSQL. This way it should be an easy task to find information about a certain setting quickly:
If you are running a small database system, most of the default settings will satisfy your demands. In huge installations or complex operations that have to be performed by the database, we recommend that you take a closer look at these settings to get the maximum performance out of your system. 10.3.2 Network SecuritySo far, you have learned about the runtime parameters of PostgreSQL. In this section you will learn to configure PostgreSQL for use in network environments. The most important configuration file for running PostgreSQL in a network is called pg_hba.conf. This file is used to restrict or allow access to the database via a TCP/IP network. In addition to allowing and restricting, you can define which computers on the network have to use which kind of user authentication (if any). The format of the pg_hba.conf file is easy take a look at the syntax overview: host DBNAME IP_ADDRESS ADDRESS_MASK AUTH_TYPE [AUTH_ARGUMENT] hostssl DBNAME IP_ADDRESS ADDRESS_MASK AUTH_TYPE [AUTH_ARGUMENT] local DBNAME AUTH_TYPE [AUTH_ARGUMENT] A pg_hba.conf file can contain three different kinds of records. host records are used to restrict or allow the access of remote machines connecting to PostgreSQL via TCP/IP. First, the name of the database you want to restrict or allow has to be defined. If you want to define a setting affecting all databases, you can use the keyword all. In the next field the IP address of a host or an IP range has to be defined. In the fourth column, a netmask has to be defined to tell PostgreSQL how big a network is. AUTH_TYPE tells PostgreSQL what kind of authentication has to be used. In the last column, arguments can be passed to the database. Let's take a closer look at the kinds of user authentication that are supported by PostgreSQL:
The same ways of authentication can be used in combination with hostssl instead of host. local records are equal to host and hostssl records, but the IP address and the netmask do not have to be defined because PostgreSQL uses Unix sockets instead of TCP/IP. Now that you have seen which methods and flags are provided by PostgreSQL, it is time to have a look at some examples: local all trust host all 127.0.0.1 255.255.255.255 trust In the default configuration the local machine can access all databases without user authentication. local means that all connections are established via Unix sockets and not via TCP/IP. In the second line you can see that local connections using the loopback device are allowed as well. If you want to allow remote users to connect to the database, some lines have to be added: local all trust host all 127.0.0.1 255.255.255.255 trust host phpbook 212.186.25.254 255.255.255.255 password host phpbook 192.168.1.0 255.255.255.0 crypt In this example two lines have been added to the configuration. The third line tells PostgreSQL to allow users at 212.186.25.254 to connect to the database called phpbook using a password. In addition, the entire network 192.168.1.x can access phpbook as well using passwords. In this case the passwords will be sent to the server in an encrypted way. Before you try to connect to the database, you can define the password of the user called hs: phpbook=> ALTER USER hs UNENCRYPTED PASSWORD 'mypasswd'; ALTER USER Let's try to connect to the database located on 212.186.25.254: [postgres@athlon pgdb]$ psql -h 212.186.25.254 -d phpbook psql: could not connect to server: Connection refused Is the server running on host 212.186.25.254 and accepting TCP/IP connections on port 5432? Although you have changed pg_hba.conf, you cannot connect to the database. To solve the problem, you can restart the server. In the first step, the server is shut down: [postgres@athlon pgdb]$ pg_ctl -D /var/pgdb/ stop waiting for postmaster to shut down......done postmaster successfully shut down If no errors occurred, PostgreSQL can be started: [postgres@athlon pgdb]$ pg_ctl -D /var/pgdb/ -o "-i" start postmaster successfully started DEBUG: database system was shut down at 2001-12-09 01:12:14 CET DEBUG: checkpoint record is at 0/FE5174 DEBUG: redo record is at 0/FE5174; undo record is at 0/0; shutdown TRUE DEBUG: next transaction id: 3300; next oid: 26077 DEBUG: database system is ready Don't forget the -i flag to make PostgreSQL listen to TCP/IP connections. When starting the server, PostgreSQL reads the configuration file and uses the new settings. Therefore you can connect to the database now: [postgres@athlon pgdb]$ psql -h 212.186.25.254 -d phpbook -U hs Password: Welcome to psql, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit phpbook=> A password must be passed to PostgreSQL, and if it is correct, you will be in the interactive shell. When I am teaching, people are always asking me about the behavior of PostgreSQL when the pg_hba.conf file is not definite. Because this is an important point, I have decided to include a practical example here: local all trust host all 127.0.0.1 255.255.255.255 trust host phpbook 212.186.25.254 255.255.255.255 password host phpbook 212.186.25.254 255.255.255.255 reject In the third line, it says that phpbook on 212.186.25.254 can be accessed. In the fourth line, the exact opposite is defined. What is PostgreSQL going to do? After restarting the server, you can easily find the answer: [postgres@athlon postgres]$ psql -h 212.186.25.254 -d phpbook -U hs Password: Welcome to psql, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit phpbook=> You can connect to the database just as you have done before: PostgreSQL takes the settings in the third line because the first line is the first one to configure 212.186.25.254. If the third and the fourth line are switched, the situation will be different: local all trust host all 127.0.0.1 255.255.255.255 trust host phpbook 212.186.25.254 255.255.255.255 reject host phpbook 212.186.25.254 255.255.255.255 password After restarting the server, PostgreSQL will tell you that you are not allowed to access the database because the first line defining 212.186.25.254 contains reject: [postgres@athlon postgres]$ psql -h 212.186.25.254 -d phpbook -U hs psql: FATAL 1: No pg_hba.conf entry for host 212.186.25.254, user hs, database phpbook It is necessary to know how PostgreSQL treats ambiguous configuration files because otherwise the configuration you have built might not be enough. If you are in doubt, we always recommend that you check your configuration using an IP spoofer. 10.3.3 Advanced Authentication and SSLConfiguring business-critical and huge systems demands additional features. Business-critical applications especially demand a high level of security, so it can be useful to work with things like Secure Socket Layer (SSL) to transmit data over a network in a secure way. In addition to secure transmission, a more complex and more flexible authentication system can be used. This section will provide a brief overview of the most important ways of authenticating. 10.3.3.1 Using SSLTo achieve a higher level of security, PostgreSQL can be used in combination with OpenSSL, which is natively supported by PostgreSQL. For using SSL some basic steps have to be taken. The first thing to do is to add the appropriate entries to pg_hba.conf: local all trust host all 127.0.0.1 255.255.255.255 trust hostssl phpbook 212.186.25.254 255.255.255.255 password [postgres@athlon tmp]$ pg_ctl -D /var/pgdb/ -o "-i -l" start postmaster successfully started /usr/local/postgresql/bin/postmaster: failed to load server certificate (/var/pgdb//server.crt): No such file or directory To use PostgreSQL with SSL keys, certificates have to be generated. The algorithm used by OpenSSL is based on a public and a private key. In this section you will not learn about how to use SSL in detail because this is beyond the scope of this book. The only thing you will see is how to generate a self-signed certificate fast. Let's see how it works: [postgres@athlon tmp]$ openssl req -new -text -out cert.req Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key .++++++ ..++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AT State or Province Name (full name) [Some-State]:Vienna Locality Name (eg, city) []:Vienna Organization Name (eg, company) [Internet Widgits Pty Ltd]:www.cybertec.at Organizational Unit Name (eg, section) []:Marketing Common Name (eg, your name or your server's hostname) []:athlon Email Address []:hs@cybertec.at Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:iloveyou An optional company name []: Just enter the command at the beginning of the listing and answer all questions you are asked. The key will be passphrase-protected. To remove the passphrase, which is necessary to start the postmaster automatically, run the following command: [postgres@athlon tmp]$ openssl rsa -in privkey.pem -out cert.*pem* read RSA key Enter PEM pass phrase: writing RSA key In the next step, the certificate has to be turned into a self-signed certificate: [postgres@athlon pgdb]$ openssl req -x509 -in cert.req -text -key cert.pem -out cert.cert Using configuration from /usr/share/ssl/openssl.cnf Finally, the only thing left to do is to copy the key to the directory where the postmaster will look for it. In this scenario the directory will be the root directory of the database cluster the postmaster has been started for: [postgres@athlon pgdb]$ cp cert.pem /var/pgdb/server.key [postgres@athlon pgdb]$ cp cert.cert /var/pgdb/server.crt Now that the certificates are ready, you can start the postmaster: [postgres@athlon pgdb]$ pg_ctl -D /var/pgdb/ -o "-i -l" start postmaster successfully started DEBUG: database system was shut down at 2001-12-09 17:20:47 CET DEBUG: checkpoint record is at 0/16FC92C DEBUG: redo record is at 0/16FC92C; undo record is at 0/0; shutdown TRUE DEBUG: next transaction id: 45517; next oid: 36086 DEBUG: database system is ready No errors occurred, and you can start working with PostgreSQL safely via SSL: [postgres@athlon pgdb]$ psql -d phpbook -h 212.186.25.254 -U hs Password: Welcome to psql, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help on internal slash commands \g or terminate with semicolon to execute query \q to quit SSL connection (cipher: DES-CBC3-SHA, bits: 168) phpbook=> When starting the front end, PostgreSQL will mention that the connection has been established via SSL. 10.3.3.2 Kerberos AuthenticationKerberos is a standard way of performing secure authentication across a public network. Kerberos is a protocol designed for authentication. Nowadays it is used by many commercial products as well as open source products. In PostgreSQL, Kerberos 4 and Kerberos 5 are supported, but only one version can be enabled at a time. Networks are insecure and it is not recommended to transmit information as plain text without using encryption. Some people try to secure their networks using firewalls, but in many cases the potential threat comes from both inside and from somewhere outside. Therefore those parts that are considered to be secure are sometimes more insecure than others. This problem is addressed by Kerberos whose protocol makes heavy use of cryptography. Kerberos can be used as a security solution for entire companies and also works reliably in combination with PostgreSQL. |