早上好,
我正在浏览Postgresql配置文件,最近注意到有一个ssl选项。 我想知道什么时候需要这个。
假设您有一个应用服务器和一个数据库服务器 - 不在专用网络内运行。 如果用户尝试登录,如果未启用SSL,那么当查找是否为有效的用户名/密码时,应用服务器是否会以明文形式将用户的密码传输到数据库?
这里的标准做法是什么? 我应该设置我的数据库使用SSL吗?
如果是这种情况,我的Rails应用程序中的config/database.yml中的连接设置是否有任何差异?
谢谢!
Good morning,
I was going through the Postgresql configuration files, and recently noticed that there is an ssl option. I was wondering when this is required.
Say if you have an app server and a database server - not running inside a private network. If a user tries to log in, if SSL is not enabled will the app server transmit the user's password in cleartext to the database when looking up if it is a valid username/password?
What is standard practice here? Should I be setting up my DB to use SSL?
If that is the case, is there any difference in the connection settings in config/database.yml in my Rails app?
Thanks!
最满意答案
与其他协议一样,对PostgreSQL使用SSL / TLS可以保护客户端和服务器之间的连接。 是否需要它取决于您的网络环境。
如果没有SSL / TLS,窃听者可以看到客户端和服务器之间的流量:所有查询和响应,以及可能的密码,具体取决于您如何配置pg_hba.conf ( 客户端是使用md5还是明文)密码 )。
据我所知, 这是服务器请求MD5或纯文本密码身份验证 ,因此当不使用SSL / TLS时,一个活跃的中间人攻击者当然可以降级并获取您的密码。
配置良好的SSL / TLS连接应该允许您防止密码和数据的窃听和MITM攻击。
您可以在pg_hba.conf使用sslhost在服务器端使用sslhost ,但这只是问题的一部分。 最终, 就像Web服务器一样 ,由客户端来验证SSL是否完全使用,并且它与正确的服务器一起使用。
libpq文档中的表31-1总结了您获得的保护级别。
主要有:
如果您认为自己有理由使用SSL,则disable , allow和prefer是无用的(如果您需要安全性,请不要选择“否”或“可能”)。 require几乎没用,因为它根本不验证远程服务器的身份。 verify-ca不验证主机名,这使其容易受到MITM攻击。如果安全对您有影响,那么您需要的是verify-full 。
这些SSL模式名称由libpq设置。 其他客户端可能不会使用相同的(例如纯Ruby实现或JDBC)。
据我所知, ruby-pg依赖于libpq。 不幸的是,它只为其sslmode列出了“disable | allow | prefer | require” 。 如果直接传递,也许verify-full也可以工作。 但是,还需要一种配置CA证书的方法。
Like for other protocols, using SSL/TLS for PostgreSQL allows you to secure the connection between the client and the server. Whether you need it depends on your network environment.
Without SSL/TLS the traffic between the client and the server will be visible by an eavesdropper: all the queries and responses, and possibly the password depending on how you've configured your pg_hba.conf (whether the client is using md5 or a plaintext password).
As far as I'm aware, it's the server that requests MD5 or plaintext password authentication, so an active Man-In-The-Middle attacker could certainly downgrade that and get your password anyway, when not using SSL/TLS.
A well-configured SSL/TLS connection should allow you to prevent eavesdropping and MITM attacks, against both passwords and data.
You can require SSL to be used on the server side using sslhost in pg_hba.conf, but that's only part of the problem. Ultimately, just like for web servers, it's up to the client to verify that SSL is used at all, and that it's used with the right server.
Table 31-1 in the libpq documentation summarises the levels of protection you get.
Essentially:
if you think you have a reason to use SSL, disable, allow and prefer are useless (don't take "No" or "Maybe" if you want security). require is barely useful, since it doesn't verify the identity of the remote server at all. verify-ca doesn't verify the host name, which makes it vulnerable to MITM attacks.The one you'll want if security matters to you is verify-full.
These SSL mode names are set by libpq. Other clients might not use the same (e.g. pure Ruby implementation or JDBC).
As far as I can see, ruby-pg relies on libpq. Unfortunately, it only lists "disable|allow|prefer|require" for its sslmode. Perhaps verify-full might work too if it's passed directly. However, there would also need a way to configure the CA certificates.
更多推荐
发布评论