18.10. Secure TCP/IP connection using SSH tunnel
You can use SSH to encrypt the network connection between the client and the PostgreSQL server. If handled properly, this will provide a sufficiently secure network connection, even for those clients that are not SSL capable.
First, make sure that an SSH server is correctly running on the same machine as the PostgreSQL server, and you can use ssh to log in as a user. Then you can use the following commands from the client machine to establish a secure tunnel:
ssh -L 63333:localhost:5432 [email protected]
The first number in the -L parameter (63333) is the port number on your end of the tunnel. It can be any unused port (IANA reserves ports 49152 to 65535 for personal use). The second number (5432) is the far end of the tunnel: the port number used by your server. The name or IP address between the port numbers is the host of the database server you are going to connect to. As for which host you are logging in from, in this example it is represented by foo.com. In order to use this tunnel to connect to the database server, you connect to the port on your local machine
63333:psql -h localhost -p 63333 postgres
For the database server, in this environment it will treat you as the real user joe on the host foo.com connected to localhost, and it will use the authentication process configured for the connection from this user and the host. Note that the server will not consider the connection to be SSL encrypted, because there is no encryption between the SSH server and the PostgreSQL server. As long as they are on the same machine, this will not pose any additional security risks.
In order for the tunnel setup to succeed, you must allow the connection via ssh as [email protected], just as you have tried to use ssh to create a terminal session.
You should also have set up port forwarding:
ssh -L 63333:foo.com:5432 [email protected]
But the database server will see the connection coming in from its foo.com interface, which is not listen_addresses = 'localhost'opened by default . This is usually not what you want.
If you have to "jump" to the database server through a login host, a possible setting looks like:
ssh -L 63333:db.foo.com:5432 [email protected]
Note that this method of connecting from shell.foo.com to db.foo.com will not be encrypted by the SSH tunnel. When the network is restricted to various methods, SSH provides quite a few configuration possibilities. For details, please refer to the SSH documentation.
Some other applications can provide secure tunnels, which use a conceptually similar process to the SSH just described.
18.11. Register Event Log on Windows
To register a Windows event log library for the operating system, issue this command:
regsvr32 pgsql_library_directory/pgevent.dll
This creates a registry key used by the event viewer, and the default event source is named PostgreSQL. To specify a different event source name (see event_source). Use the /n and /i options:
regsvr32 /n /i:event_source_name pgsql_library_directory/pgevent.dll
在这里插入代码片
To unregister the event log library from the operating system, issue this command:
regsvr32 /u [/i:event_source_name] pgsql_library_directory/pgevent.dll
To enable event logging in the database server, modify log_destination in postgresql.conf to include eventlog.