Thread: Access PostgreSQL server via SSL/Internet
Is anybody considering this? So that people can write program which access a database via the Internet. What I'm getting at is that we have applications which run on our Intranet. They query and update databases. There is interest in a work at home solution. Since the company has multiple T1 Internet connections, they are interested in allowing people to use their home ISP to connect. We are looking at a VPN solution as well, but they all seem to have a "per seat" or "concurrent use" restriction. The more users, the higher the cost. Also, some ISPs have stated that using a VPN over their facility is forbidden and will result in termination of the service. Another possibility is to simply use a secure Web server and rewrite the applications as CGI's or something similiar. More of a curiousity question at present, John
> Is anybody considering this? So that people can write program which access
> a database via the Internet. What I'm getting at is that we have
> applications which run on our Intranet. They query and update
> databases. There is interest in a work at home solution. Since the company
> has multiple T1 Internet connections, they are interested in allowing
> people to use their home ISP to connect. We are looking at a VPN solution
> as well, but they all seem to have a "per seat" or "concurrent
> use" restriction. The more users, the higher the cost. Also, some ISPs
> have stated that using a VPN over their facility is forbidden and will
> result in termination of the service. Another possibility is to simply
> use a secure Web server and rewrite the applications as CGI's or something
> similiar.
It is trivial to connect clients and servers across an ssh-piped
connection. I'm not sure of the details as far as getting things set up
to be automated for turnkey installations.
- Thomas
> > It is trivial to connect clients and servers across an ssh-piped > connection. I'm not sure of the details as far as getting things set up > to be automated for turnkey installations. > OTOH, people using ssh-piped connections need actual accounts on the database server, opposed to just database accounts. That's something that isn't necessarily a good idea. Also, ssh-piped connections are decent to setup, but you must always ssh in before you want to do anything else.
On Sat, 26 Aug 2000, Thomas Lockhart wrote: > > have stated that using a VPN over their facility is forbidden and will > > result in termination of the service. Another possibility is to simply > > use a secure Web server and rewrite the applications as CGI's or something > > similiar. > > It is trivial to connect clients and servers across an ssh-piped > connection. I'm not sure of the details as far as getting things set up > to be automated for turnkey installations. > Thomas, Thanks for the thought. I just found something called "stunnel" which may do the trick. John
On Sat, 26 Aug 2000, John McKown wrote: > On Sat, 26 Aug 2000, Thomas Lockhart wrote: > > > It is trivial to connect clients and servers across an ssh-piped > > connection. I'm not sure of the details as far as getting things set up > > to be automated for turnkey installations. > > > > Thomas, > > Thanks for the thought. I just found something called "stunnel" which may > do the trick. Also look into "vpnd" - we're using it for a project for a client until I can get the SSL connection stuff working properly... (Hint, hint... It would be nice if it was better documented :) http://sunsite.auc.dk/vpnd/ -- Dominic J. Eidson "Baruk Khazad! Khazad ai-menu!" - Gimli ------------------------------------------------------------------------------- http://www.the-infinite.org/ http://www.the-infinite.org/~dominic/
* Andrew Selle <aselle@upl.cs.wisc.edu> [000826 07:50] wrote: > > > > It is trivial to connect clients and servers across an ssh-piped > > connection. I'm not sure of the details as far as getting things set up > > to be automated for turnkey installations. > > > > OTOH, people using ssh-piped connections need actual accounts on > the database server, opposed to just database accounts. That's > something that isn't necessarily a good idea. Also, ssh-piped > connections are decent to setup, but you must always ssh in before > you want to do anything else. Actually I'm pretty sure you can get around this problem with host keys, but I haven't tried that. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk."
> > > It is trivial to connect clients and servers across an ssh-piped > > > connection. I'm not sure of the details as far as getting > things set up > > > to be automated for turnkey installations. > > > > > > > Thomas, > > > > Thanks for the thought. I just found something called > "stunnel" which may > > do the trick. > > Also look into "vpnd" - we're using it for a project for a > client until I > can get the SSL connection stuff working properly... (Hint, hint... It > would be nice if it was better documented :) Docs of the SSL stuff is coming up as soon as I get "final approval" of the patch that brings SSL up to working (e.g. either applying or rejectnig :-). I have a very rough outline so far, but I don't want to put down too much work into it until I know I am documenting the right thing (the version that will eventually go in, that is). But it's on it's way. //Magnus
> > Docs of the SSL stuff is coming up as soon as I get "final > approval" of > > the patch that brings SSL up to working (e.g. either applying or > > rejectnig :-). I have a very rough outline so far, but I don't want > > to put down too much work into it until I know I am documenting the > > right thing (the version that will eventually go in, that is). > > Your patch looked fine to me, the details can be hammered out later. Ok. Great. That's what I needed to hear. > What I'd like to see is some at least informal documentation > on how to use > this at all. We can't put in any patches that we don't know > how to use. Here is a patch against the same cvs tree as the SSL patch (Aug 20). I hope I didn't mess the SGML up too bad, but somebody should definitly look that over. I tried to steal as much as I could from around :-) This patch updates: * Installation instructions (paragraph on how to compile with openssl) * Documentation of pg_hba.conf (added "hostssl" record docs) * Libpq documentation (added connection option, documentation of PQgetssl() function) * Add section on SSL to "Server Runtime Environment" If you beleive any particular area needs more attention, please let me know. //Magnus
Attachment
Applied. Thanks. [ Charset ISO-8859-1 unsupported, converting... ] > > > Docs of the SSL stuff is coming up as soon as I get "final > > approval" of > > > the patch that brings SSL up to working (e.g. either applying or > > > rejectnig :-). I have a very rough outline so far, but I don't want > > > to put down too much work into it until I know I am documenting the > > > right thing (the version that will eventually go in, that is). > > > > Your patch looked fine to me, the details can be hammered out later. > Ok. Great. That's what I needed to hear. > > > > What I'd like to see is some at least informal documentation > > on how to use > > this at all. We can't put in any patches that we don't know > > how to use. > > Here is a patch against the same cvs tree as the SSL patch (Aug 20). > I hope I didn't mess the SGML up too bad, but somebody should definitly > look that over. I tried to steal as much as I could from around :-) > > This patch updates: > * Installation instructions (paragraph on how to compile with openssl) > * Documentation of pg_hba.conf (added "hostssl" record docs) > * Libpq documentation (added connection option, documentation of > PQgetssl() function) > * Add section on SSL to "Server Runtime Environment" > > If you beleive any particular area needs more attention, please let me know. > > //Magnus > > [ Attachment, skipping... ] -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026
Applied. Thanks. I always love doc patches. [ Charset ISO-8859-1 unsupported, converting... ] > > > Docs of the SSL stuff is coming up as soon as I get "final > > approval" of > > > the patch that brings SSL up to working (e.g. either applying or > > > rejectnig :-). I have a very rough outline so far, but I don't want > > > to put down too much work into it until I know I am documenting the > > > right thing (the version that will eventually go in, that is). > > > > Your patch looked fine to me, the details can be hammered out later. > Ok. Great. That's what I needed to hear. > > > > What I'd like to see is some at least informal documentation > > on how to use > > this at all. We can't put in any patches that we don't know > > how to use. > > Here is a patch against the same cvs tree as the SSL patch (Aug 20). > I hope I didn't mess the SGML up too bad, but somebody should definitly > look that over. I tried to steal as much as I could from around :-) > > This patch updates: > * Installation instructions (paragraph on how to compile with openssl) > * Documentation of pg_hba.conf (added "hostssl" record docs) > * Libpq documentation (added connection option, documentation of > PQgetssl() function) > * Add section on SSL to "Server Runtime Environment" > > If you beleive any particular area needs more attention, please let me know. > > //Magnus > > [ Attachment, skipping... ] -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 853-3000+ If your life is a hard drive, | 830 Blythe Avenue + Christ can be your backup. | Drexel Hill, Pennsylvania19026