<para>
In addition to the <filename>postgresql.conf</filename> file
already mentioned, <productname>PostgreSQL</productname> uses
- two other manually-edited configuration files, which control
+ three other manually-edited configuration files, which control
client authentication (their use is discussed in <xref
- linkend="client-authentication"/>). By default, all three
+ linkend="client-authentication"/>) and SSL host configuration.
+ By default, all four
configuration files are stored in the database cluster's data
directory. The parameters described in this section allow the
configuration files to be placed elsewhere. (Doing so can ease
</listitem>
</varlistentry>
+ <varlistentry id="guc-hosts-file" xreflabel="hosts_file">
+ <term><varname>hosts_file</varname> (<type>string</type>)
+ <indexterm>
+ <primary><varname>hosts_file</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Specifies the configuration file for host-based SSL configuration
+ (customarily called <filename>pg_hosts.conf</filename>).
+ This parameter can only be set at server start. See also
+ <xref linkend="ssl-sni"/>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="guc-external-pid-file" xreflabel="external_pid_file">
<term><varname>external_pid_file</varname> (<type>string</type>)
<indexterm>
<para>
If you wish, you can specify the configuration file names and locations
individually using the parameters <varname>config_file</varname>,
- <varname>hba_file</varname> and/or <varname>ident_file</varname>.
+ <varname>hba_file</varname>, <varname>ident_file</varname> and/or
+ <varname>hosts_file</varname>.
<varname>config_file</varname> can only be specified on the
<command>postgres</command> command line, but the others can be
- set within the main configuration file. If all three parameters plus
+ set within the main configuration file. If all four parameters plus
<varname>data_directory</varname> are explicitly set, then it is not necessary
to specify <option>-D</option> or <envar>PGDATA</envar>.
</para>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry id="guc-ssl-sni" xreflabel="ssl_sni">
+ <term><varname>ssl_sni</varname> (<type>boolean</type>)
+ <indexterm>
+ <primary><varname>ssl_sni</varname> configuration parameter</primary>
+ </indexterm>
+ </term>
+ <listitem>
+ <para>
+ Enables SNI configuration for SSL connections. When set to <literal>on</literal>
+ host configuration from <xref linkend="guc-hosts-file"/> is used, see
+ <xref linkend="ssl-sni"/> for more details.
+ </para>
+ <para>
+ This parameter can only be set in the <filename>postgresql.conf</filename>
+ file or on the server command line. The default is <literal>off</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</sect2>
</sect1>
<para>
<productname>PostgreSQL</productname> can be configured for Server Name
- Indication, <acronym>SNI</acronym>, using the <filename>pg_hosts.conf</filename>
- configuration file. <productname>PostgreSQL</productname> inspects the TLS
- hostname extension in the SSL connection handshake, and selects the right
- TLS certificate, key and CA certificate to use for the connection based on
- entries in the configuration file <filename>pg_hosts.conf</filename>.
+ Indication, <acronym>SNI</acronym>, using the <xref linkend="guc-ssl-sni"/>
+ configuration parameter. <productname>PostgreSQL</productname> inspects the
+ TLS hostname extension in the SSL connection handshake, and selects the
+ right certificate, key and CA certificate to use for the connection based
+ on entries in the <xref linkend="guc-hosts-file"/> configuration file.
</para>
<para>
- SNI configuration is defined in the hosts configuration file,
- <filename>pg_hosts.conf</filename>, which is stored in the cluster's
- data directory. The hosts configuration file contains lines of these
- general forms:
+ The <xref linkend="guc-hosts-file"/> configuration file contains lines of
+ these general forms:
<synopsis>
<replaceable>hostname</replaceable> <replaceable>SSL_certificate</replaceable> <replaceable>SSL_key</replaceable> <optional> <replaceable>SSL_CA_certificate</replaceable> <optional> <replaceable>SSL_passphrase_cmd</replaceable> <optional> <replaceable>SSL_passphrase_cmd_reload</replaceable> </optional> </optional> </optional>
<literal>include</literal> <replaceable>file</replaceable>
</synopsis>
Comments, whitespace, line continuations, and inclusion directives are
handled in the same way as
- in <filename>pg_hba.conf</filename>. <replaceable>hostname</replaceable>
- is matched against the hostname TLS extension in the SSL handshake.
+ in <xref linkend="guc-hba-file"/>. <replaceable>hostname</replaceable>
+ is matched case-insensitively against the <literal>hostname</literal> TLS
+ extension in the SSL handshake.
<replaceable>SSL_certificate</replaceable>,
<replaceable>SSL_key</replaceable>,
<replaceable>SSL_CA_certificate</replaceable>,
<thead>
<row>
<entry>Host Entry</entry>
- <entry>sslsni</entry>
+ <entry>Hostname extension</entry>
<entry>Description</entry>
</row>
</thead>
</para>
<para>
- If <filename>pg_hosts.conf</filename> is empty or missing, then the SSL
+ If <xref linkend="guc-hosts-file"/> is empty or missing, then the SSL
configuration in <filename>postgresql.conf</filename> will be used for all
- connections. If <filename>pg_hosts.conf</filename> is non-empty then it
+ connections. If <xref linkend="guc-hosts-file"/> is non-empty then it
will take precedence over certificate and key settings in
<filename>postgresql.conf</filename>.
</para>
<para>
It is currently not possible to set different <literal>clientname</literal>
values for the different certificates. Any <literal>clientname</literal>
- setting in <filename>pg_hba.conf</filename> will be applied during
+ setting in <xref linkend="guc-hba-file"/> will be applied during
authentication regardless of which set of certificates have been loaded
via an SNI enabled connection.
</para>
projects / thirdparty / postgresql.git / commitdiff
