How to Configure pg_hba.conf for Remote PostgreSQL Access from Specific IP Addresses


12 views

On CentOS/RHEL systems, PostgreSQL's authentication configuration file (pg_hba.conf) is typically located in:

/var/lib/pgsql/data/pg_hba.conf

For PostgreSQL 12+ installations, you might find it at:

/var/lib/pgsql/12/data/pg_hba.conf

The line you want to add follows this structure:

host    DATABASE    USER    ADDRESS    MASK    METHOD

Breaking down your specific example:

host    all         all         10.0.2.12         255.255.255.255   trust
  • host: Connection type (TCP/IP)
  • all: Applies to all databases
  • all: Applies to all users
  • 10.0.2.12: Specific client IP address
  • 255.255.255.255: Netmask for single host
  • trust: Authentication method (no password required)

Here's how to properly implement this change:

# Switch to postgres user
sudo su - postgres

# Make a backup of the original file
cp /var/lib/pgsql/data/pg_hba.conf /var/lib/pgsql/data/pg_hba.conf.bak

# Edit the configuration file
vi /var/lib/pgsql/data/pg_hba.conf

Add your line in the appropriate section (usually near similar host entries). Save the file and exit.

While 'trust' is convenient for testing, in production consider using:

# MD5 password authentication
host    all    all    10.0.2.12/32    md5

# Or SCRAM-SHA-256 (PostgreSQL 10+)
host    all    all    10.0.2.12/32    scram-sha-256

After making changes, you can reload without restarting:

# As postgres user
pg_ctl reload

# Or using systemctl
sudo systemctl reload postgresql

Test from your client machine (10.0.2.12):

psql -h [server-ip] -U [username] [database-name]

If connections fail:

  1. Check PostgreSQL's listen_addresses in postgresql.conf
  2. Verify firewall rules (firewalld/iptables)
  3. Examine PostgreSQL logs at /var/lib/pgsql/data/pg_log/

Instead of IP+mask, you can use CIDR notation:

host    all    all    10.0.2.12/32    md5

This is equivalent to your original example but more concise.

When you need to enable remote access to your PostgreSQL server, the pg_hba.conf file is where you define connection rules. On CentOS/RHEL systems, you'll typically find it at:

/var/lib/pgsql/data/pg_hba.conf

Before making changes, create a backup:

sudo cp /var/lib/pgsql/data/pg_hba.conf /var/lib/pgsql/data/pg_hba.conf.bak

The entry you want to add follows this pattern:

host    database    user    address    auth-method

Breaking down your specific example:

host    all         all         10.0.2.12         255.255.255.255   trust
  • host: Connection type (TCP/IP)
  • all: Applies to all databases
  • all: Applies to all users
  • 10.0.2.12: Specific client IP address
  • 255.255.255.255: Netmask for single host
  • trust: Authentication method (no password)

While trust is convenient for testing, in production consider these alternatives:

# MD5 password authentication
host    all    all    10.0.2.12/32    md5

# SCRAM-SHA-256 (PostgreSQL 10+)
host    all    all    10.0.2.12/32    scram-sha-256

Instead of IP/netmask format, you can use CIDR notation:

# Single IP
host    all    all    10.0.2.12/32    md5

# IP range
host    all    all    10.0.2.0/24    md5

# Entire private network
host    all    all    10.0.0.0/8    md5

After saving changes, reload the configuration:

sudo systemctl reload postgresql

Or for a full restart if needed:

sudo systemctl restart postgresql

From your remote server (10.0.2.12), test with:

psql -h postgres-server-ip -U username -d database_name

If connection fails, check:

  1. listen_addresses in postgresql.conf includes '*' or specific IPs
  2. Firewall rules allow traffic on port 5432
  3. SELinux isn't blocking the connection (check with audit2allow)