Re: Let people set host(no)ssl settings from initdb

On Thu, Dec 12, 2019 at 12:23:42AM -0500, Tom Lane wrote:
> David Fetter <david@fetter.org> writes:
> > I've found myself writing a lot of boilerplate pg_hba.conf entries
> > along the lines of
> >     hostnossl    all     all     0.0.0.0/0      reject
> >     hostssl      all     all     0.0.0.0/0      md5
> > so I thought I'd make it easier to do that from initdb.
> > What say?
> 
> I'm pretty suspicious of loading down initdb with random configuration
> options, because I think most people nowadays use PG via vendor packages
> that script their calls to initdb.  So an option like this doesn't help
> unless you can persuade all those vendors to pass the option through.

Would the official PGDG .deb and .rpm packages suffice?

> That problem exists even before you get to the question of whether
> this specific option is useful or well-designed ... a question I'm
> not opining about here, but it would certainly require thought.

I think it was a reasonable extension. We cover lines that start with
local and host, but they can also start with hostssl and hostnossl.

Meanwhile, please find attached a fix for an oversight around IPv6.

Best,
David.
-- 
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate