Distinguishing between connections in pg_hba.conf
Hi,
I have a web application (PHP) which runs on its own box, and connects to a
database on a second box. The database box is behind the firewall and only
accepts connections from the web server.
I have set up stunnel on the web server and I would like to allow some
limited external direct access to the db server, but I would like
connections from stunnel to only access a specific database. The problem is
that both the web server and the stunnel connections will come from the same
box, and hence the same IP address, is there anyway I can distinguish
between these two connection methods in pg_hba.conf? (I can't do it on
username either)
Thanks for any advice
Adam
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
On Mon, 2005-05-16 at 07:35, Adam Witney wrote:
Hi,
I have a web application (PHP) which runs on its own box, and connects to a
database on a second box. The database box is behind the firewall and only
accepts connections from the web server.I have set up stunnel on the web server and I would like to allow some
limited external direct access to the db server, but I would like
connections from stunnel to only access a specific database. The problem is
that both the web server and the stunnel connections will come from the same
box, and hence the same IP address, is there anyway I can distinguish
between these two connection methods in pg_hba.conf? (I can't do it on
username either)
Add an alias to each machine's ethernet card, along with a name. So, if
you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db
server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them
some similar name, like web02 and db02 if their names are web01 and
db01. Set up routes to use the other IP addresses with those names and
you should be able to do it.
I haven't fleshed it out step by step, but you get the basic idea,
right?
On 16/5/05 8:17 pm, "Scott Marlowe" <smarlowe@g2switchworks.com> wrote:
On Mon, 2005-05-16 at 07:35, Adam Witney wrote:
Hi,
I have a web application (PHP) which runs on its own box, and connects to a
database on a second box. The database box is behind the firewall and only
accepts connections from the web server.I have set up stunnel on the web server and I would like to allow some
limited external direct access to the db server, but I would like
connections from stunnel to only access a specific database. The problem is
that both the web server and the stunnel connections will come from the same
box, and hence the same IP address, is there anyway I can distinguish
between these two connection methods in pg_hba.conf? (I can't do it on
username either)Add an alias to each machine's ethernet card, along with a name. So, if
you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db
server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them
some similar name, like web02 and db02 if their names are web01 and
db01. Set up routes to use the other IP addresses with those names and
you should be able to do it.I haven't fleshed it out step by step, but you get the basic idea,
right?
Hi,
Thanks for your reply.
So I see how you add an extra IP address to the web server box, but how do
you assign it so that requests from apache appear on the db box as one IP
address, and requests coming through stunnel appear as the second IP
address?
Thanks again
Adam
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
On Mon, 2005-05-16 at 15:05, Adam Witney wrote:
On 16/5/05 8:17 pm, "Scott Marlowe" <smarlowe@g2switchworks.com> wrote:
On Mon, 2005-05-16 at 07:35, Adam Witney wrote:
Hi,
I have a web application (PHP) which runs on its own box, and connects to a
database on a second box. The database box is behind the firewall and only
accepts connections from the web server.I have set up stunnel on the web server and I would like to allow some
limited external direct access to the db server, but I would like
connections from stunnel to only access a specific database. The problem is
that both the web server and the stunnel connections will come from the same
box, and hence the same IP address, is there anyway I can distinguish
between these two connection methods in pg_hba.conf? (I can't do it on
username either)Add an alias to each machine's ethernet card, along with a name. So, if
you've got 10.1.1.1 as the IP on the web server and 10.2.1.1 on the db
server, add 10.1.1.2 and 10.2.1.2 on each respectively, and give them
some similar name, like web02 and db02 if their names are web01 and
db01. Set up routes to use the other IP addresses with those names and
you should be able to do it.I haven't fleshed it out step by step, but you get the basic idea,
right?Hi,
Thanks for your reply.
So I see how you add an extra IP address to the web server box, but how do
you assign it so that requests from apache appear on the db box as one IP
address, and requests coming through stunnel appear as the second IP
address?
That's kinda OS dependent. On RedHat you should have some kind of
netconfig command or something that will make a setting in the
/etc/sysconfig/network-scriptsifcfg-xxx files to set routes.
In Fedora Core 2 the command that brings up the gui config too is
system-config-network
On Mon, May 16, 2005 at 03:31:27PM -0500,
Scott Marlowe <smarlowe@g2switchworks.com> wrote
a message of 48 lines which said:
but how do you assign it so that requests from apache appear on
the db box as one IP address, and requests coming through stunnel
appear as the second IP address?That's kinda OS dependent. On RedHat you should have some kind of
netconfig command
I do not think it was the question.
For stunnel, the solution is probably :
-I host
IP of the outgoing interface is used as source for remote connections.
Use this option to bind a static local IP address, instead.
On Tue, 2005-05-17 at 05:08, Stephane Bortzmeyer wrote:
On Mon, May 16, 2005 at 03:31:27PM -0500,
Scott Marlowe <smarlowe@g2switchworks.com> wrote
a message of 48 lines which said:but how do you assign it so that requests from apache appear on
the db box as one IP address, and requests coming through stunnel
appear as the second IP address?That's kinda OS dependent. On RedHat you should have some kind of
netconfig commandI do not think it was the question.
For stunnel, the solution is probably :
-I host
IP of the outgoing interface is used as source for remote connections.
Use this option to bind a static local IP address, instead.
Sorry, I'm not that familiar with stunnel, so I didn't really get it
that that's what the OP was asking...
On 17/5/05 2:59 pm, "Scott Marlowe" <smarlowe@g2switchworks.com> wrote:
On Tue, 2005-05-17 at 05:08, Stephane Bortzmeyer wrote:
On Mon, May 16, 2005 at 03:31:27PM -0500,
Scott Marlowe <smarlowe@g2switchworks.com> wrote
a message of 48 lines which said:but how do you assign it so that requests from apache appear on
the db box as one IP address, and requests coming through stunnel
appear as the second IP address?That's kinda OS dependent. On RedHat you should have some kind of
netconfig commandI do not think it was the question.
For stunnel, the solution is probably :
-I host
IP of the outgoing interface is used as source for remote
connections.
Use this option to bind a static local IP address, instead.Sorry, I'm not that familiar with stunnel, so I didn't really get it
that that's what the OP was asking...
Hi,
Yep I missed the -I switch in the stunnel docs. And using Scott's idea of an
network interface alias, apache connects with one IP and stunnel connects
with another!
Thanks again for your help
Adam
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.