How to configure postgresql postgresql.conf listen_addresses for multiple ip addresses
Solution 1
listen_addresses controls which IPs the server will answer on, not which IPs the server will permit connections to authenticate from. It's entirely reasonable and normal to use listen_addresses '*'
so the server will accept incoming connections on any ip assigned to an interface on the postgresql server host, while using pg_hba.conf to control access at a finer grained level for which IPs the server will accept logins from for specific databases and users.
Solution 2
Setting listen_addresses to '*' is normal, as dbenhur points out. Also you can use tools such as iptables to deny access to the port apart from certain remote IPs. You can even do both: redundancy in security is not necessarily a bad thing (although, relying on IP address security isn't so good).
chrismarx
Software Engineer, Typescript, NodeJs, Angular, NestJs, VueJs, Java, Spring, JPA, Oracle, Postgres/Gis, Hibernate, Apache, HTML5, jQuery, CSS3. Lots of experience and passion for building applications with some kind of mapping/map visualization aspect, GIS with QGIS, R, Geoserver
Updated on July 05, 2022Comments
-
chrismarx almost 2 years
I can connect just fine to a remote postgresql server that has connection restrictions to a few IPs in the pg_hba.conf, but is this enough if you have
listen_addresses
set to"*"
in the postgresql.conf file?That files indicates that that parameter can take a comma separated list of ip addresses, but if i do that, I lose the ability to connect remotely.
postgresql-8.4.9 rhel
-
chrismarx over 12 yearsok, thats what I wanted to know, makes the issue of getting the comma separated list in there moot. thanks!
-
chrismarx over 12 yearsyeah, there is already ip based firewalls in place, just trying to make sure everything is configured as best it can be-
-
Craig Ringer over 11 yearsEdited to make it more explicit that
pg_hba.conf
controls login. The server still accepts the TCP/IP connections on any listening interface and converses with the connecting client. It just quickly concludes that the client isn't from a permitted IP range and closes the connection. This means among other things that pre-auth exploits could work withpg_hba
exclusion but not if Pg simply wasn't listening on the interface the exploit came in on. Firewall rules, notlisten_addresses
, are the answer to that. -
ted.strauss about 11 yearsThis solution worked for me on postgres 9.1. Thanks @CraigRinger
-
Basil Bourque over 5 years@CraigRinger This is still not clear to me, with the pronouns in your comment confusing me. Are you saying that pre-auth exploits are possible despite
listen_addresses
or despitepg_hba
? In other words, the Postgres server engages the client as part of discerning thelisten_addresses
rule or does thelisten_addresses
rule prevent any server-client engagement? -
Craig Ringer over 5 years@BasilBourque
listen_addresses
will work; nobody can connect even to pre-auth on an interface Pg doesn't listen on. But it has practical issues - it doesn't work if your IP changes, it doesn't work well on interfaces that may go up and down, etc. In practice I recommend limitinglisten_addresses
to localhost if you want a localhost-only server; otherwise, set it to*
and use firewall rules to control which hosts can make TCP connections in a finer grained, interface-status-independent way. There's nothing wrong with using listen_addresses as a backstop if you have static ifaces. -
Basil Bourque over 5 years@CraigRinger I believe this is an important enough topic to warrant its own specific Question, so I posted on the DBA Stack Exchange, Can
listen_addresses
system configuration setting in Postgres stop pre-authentication exploits?. Perhaps you would be willing to provide a Answer there. -
gies0r almost 5 years
/etc/postgresql/11/main/postgresql.conf
is the place to addlisten_addresses
on Ubuntu -
leopold about 2 yearsthe path has been updated to
/etc/postgresql/14/main/postgresql.conf