Sophie

Sophie

distrib > Mageia > 7 > armv7hl > media > core-updates > by-pkgid > 5fea23694c765462b86d6ddf74461eab > files > 919

postgresql9.6-docs-9.6.22-1.mga7.noarch.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Secure TCP/IP Connections with SSH Tunnels</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REV="MADE"
HREF="mailto:pgsql-docs@postgresql.org"><LINK
REL="HOME"
TITLE="PostgreSQL 9.6.22 Documentation"
HREF="index.html"><LINK
REL="UP"
TITLE="Server Setup and Operation"
HREF="runtime.html"><LINK
REL="PREVIOUS"
TITLE="Secure TCP/IP Connections with SSL"
HREF="ssl-tcp.html"><LINK
REL="NEXT"
TITLE="Registering Event Log on Windows"
HREF="event-log-registration.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="stylesheet.css"><META
HTTP-EQUIV="Content-Type"
CONTENT="text/html; charset=ISO-8859-1"><META
NAME="creation"
CONTENT="2021-05-18T09:16:10"></HEAD
><BODY
CLASS="SECT1"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="4"
ALIGN="center"
VALIGN="bottom"
><A
HREF="index.html"
>PostgreSQL 9.6.22 Documentation</A
></TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
TITLE="Secure TCP/IP Connections with SSL"
HREF="ssl-tcp.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="top"
><A
HREF="runtime.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="60%"
ALIGN="center"
VALIGN="bottom"
>Chapter 18. Server Setup and Operation</TD
><TD
WIDTH="20%"
ALIGN="right"
VALIGN="top"
><A
TITLE="Registering Event Log on Windows"
HREF="event-log-registration.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="SSH-TUNNELS"
>18.10. Secure TCP/IP Connections with <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> Tunnels</A
></H1
><P
>   It is possible to use <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> to encrypt the network
   connection between clients and a
   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server. Done properly, this
   provides an adequately secure network connection, even for non-SSL-capable
   clients.
  </P
><P
>   First make sure that an <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> server is
   running properly on the same machine as the
   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server and that you can log in using
   <TT
CLASS="COMMAND"
>ssh</TT
> as some user;  you then can establish a
   secure tunnel to the remote server.  A secure tunnel listens on a
   local port and forwards all traffic to a port on the remote machine.
   Traffic sent to the remote port can arrive on its
   <TT
CLASS="LITERAL"
>localhost</TT
> address, or different bind
   address if desired;  it does not appear as coming from your
   local machine.  This command creates a secure tunnel from the client
   machine to the remote machine <TT
CLASS="LITERAL"
>foo.com</TT
>:
</P><PRE
CLASS="PROGRAMLISTING"
>ssh -L 63333:localhost:5432 joe@foo.com</PRE
><P>
   The first number in the <TT
CLASS="OPTION"
>-L</TT
> argument, 63333, is the
   local port number of the tunnel; it can be any unused port.  (IANA
   reserves ports 49152 through 65535 for private use.)  The name or IP
   address after this is the remote bind address you are connecting to,
   i.e., <TT
CLASS="LITERAL"
>localhost</TT
>, which is the default.  The second
   number, 5432, is the remote end of the tunnel, e.g., the port number
   your database server is using.  In order to connect to the database
   server using this tunnel, you connect to port 63333 on the local
   machine:
</P><PRE
CLASS="PROGRAMLISTING"
>psql -h localhost -p 63333 postgres</PRE
><P>
   To the database server it will then look as though you are
   user <TT
CLASS="LITERAL"
>joe</TT
> on host <TT
CLASS="LITERAL"
>foo.com</TT
>
   connecting to the <TT
CLASS="LITERAL"
>localhost</TT
> bind address, and it
   will use whatever authentication procedure was configured for
   connections by that user to that bind address.  Note that the server will not
   think the connection is SSL-encrypted, since in fact it is not
   encrypted between the
   <SPAN
CLASS="APPLICATION"
>SSH</SPAN
> server and the
   <SPAN
CLASS="PRODUCTNAME"
>PostgreSQL</SPAN
> server.  This should not pose any
   extra security risk because they are on the same machine.
  </P
><P
>   In order for the
   tunnel setup to succeed you must be allowed to connect via
   <TT
CLASS="COMMAND"
>ssh</TT
> as <TT
CLASS="LITERAL"
>joe@foo.com</TT
>, just
   as if you had attempted to use <TT
CLASS="COMMAND"
>ssh</TT
> to create a
   terminal session.
  </P
><P
>   You could also have set up port forwarding as
</P><PRE
CLASS="PROGRAMLISTING"
>ssh -L 63333:foo.com:5432 joe@foo.com</PRE
><P>
   but then the database server will see the connection as coming in
   on its <TT
CLASS="LITERAL"
>foo.com</TT
> bind address, which is not opened by
   the default setting <TT
CLASS="LITERAL"
>listen_addresses =
   'localhost'</TT
>.  This is usually not what you want.
  </P
><P
>   If you have to <SPAN
CLASS="QUOTE"
>"hop"</SPAN
> to the database server via some
   login host, one possible setup could look like this:
</P><PRE
CLASS="PROGRAMLISTING"
>ssh -L 63333:db.foo.com:5432 joe@shell.foo.com</PRE
><P>
   Note that this way the connection
   from <TT
CLASS="LITERAL"
>shell.foo.com</TT
>
   to <TT
CLASS="LITERAL"
>db.foo.com</TT
> will not be encrypted by the SSH
   tunnel.
   SSH offers quite a few configuration possibilities when the network
   is restricted in various ways.  Please refer to the SSH
   documentation for details.
  </P
><DIV
CLASS="TIP"
><BLOCKQUOTE
CLASS="TIP"
><P
><B
>Tip: </B
>    Several other applications exist that can provide secure tunnels using
    a procedure similar in concept to the one just described.
   </P
></BLOCKQUOTE
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="ssl-tcp.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="event-log-registration.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Secure TCP/IP Connections with SSL</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="runtime.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Registering <SPAN
CLASS="APPLICATION"
>Event Log</SPAN
> on <SPAN
CLASS="SYSTEMITEM"
>Windows</SPAN
></TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional