# ============================================================================= # PostgreSQL Client Authentication Configuration (pg_hba.conf) # ============================================================================= # # Host: apricot (10.9.0.1 on VPN) # Purpose: Control client authentication for PostgreSQL connections # # Format: # TYPE DATABASE USER ADDRESS METHOD [OPTIONS] # # Types: # local - Unix-domain socket connections # host - TCP/IP connections (SSL or non-SSL) # hostssl - TCP/IP connections with SSL only # hostnossl - TCP/IP connections without SSL # # Methods: # trust - Allow connection without password (not recommended) # reject - Reject connection unconditionally # scram-sha-256 - Password authentication with SCRAM-SHA-256 (recommended) # md5 - Password authentication with MD5 (legacy) # peer - Use OS username (local connections only) # # ============================================================================= # Local connections (within Docker container) # TYPE DATABASE USER ADDRESS METHOD # Allow postgres superuser via Unix socket (for maintenance) local all postgres peer # Allow all users via Unix socket with password local all all scram-sha-256 # ============================================================================= # VPN Network Connections (10.9.0.0/24) # ============================================================================= # Allow connections from VPN subnet with password authentication # This includes: # - Apricot itself (10.9.0.1) # - VPS (10.9.0.2) # - Any other VPN-connected devices host all all 10.9.0.0/24 scram-sha-256 # ============================================================================= # Docker Network Connections (if not using host network mode) # ============================================================================= # Allow connections from Docker bridge network (172.17.0.0/16) # Uncomment if using Docker bridge networking instead of host mode # host all all 172.17.0.0/16 scram-sha-256 # Allow connections from custom Docker networks (172.18.0.0/16) # Uncomment if using custom Docker networks # host all all 172.18.0.0/16 scram-sha-256 # ============================================================================= # Localhost Connections # ============================================================================= # Allow connections from localhost (apricot itself) host all all 127.0.0.1/32 scram-sha-256 host all all ::1/128 scram-sha-256 # ============================================================================= # SSL-Only Connections (Optional) # ============================================================================= # If SSL is required, replace 'host' with 'hostssl' above # Example: # hostssl all all 10.9.0.0/24 scram-sha-256 # Reject non-SSL connections from VPN (if SSL is mandatory) # Uncomment after SSL is configured: # hostnossl all all 10.9.0.0/24 reject # ============================================================================= # Reject All Other Connections # ============================================================================= # Explicitly reject connections from any other source # This is a security measure to prevent unauthorized access host all all 0.0.0.0/0 reject host all all ::/0 reject # ============================================================================= # NOTES # ============================================================================= # # 1. Security Best Practices: # - Always use scram-sha-256 for password authentication # - Never use 'trust' method in production # - Restrict access to known networks only # - Consider enabling SSL for all remote connections # # 2. VPN Access: # - VPN subnet is 10.9.0.0/24 # - Apricot (this server): 10.9.0.1 # - VPS: 10.9.0.2 # - All connections from VPN are authenticated with password # # 3. Troubleshooting: # - Check logs: docker-compose logs postgres # - Test connection: psql -h 10.9.0.1 -U postgres -d lilith_platform # - Reload config: docker-compose exec postgres pg_ctl reload # # 4. SSL Configuration: # - To enable SSL, uncomment SSL settings in postgresql.conf # - Provide certificate files in postgresql/ssl/ directory # - Replace 'host' with 'hostssl' in this file # # 5. After Changes: # - Reload PostgreSQL to apply changes (no restart needed) # - Test connections to verify access rules # # =============================================================================