dhis2-devs team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Here is an example of some pg_hba.conf settings with comments which people
might find useful.  The database in this case is on a separate server.  The
application server (with tomcat and all) is on a machine called appserver
on 192.168.1.102.  Other machines we want to allow to connect from the
office are on the 192.168.2.0 subnet.

# do peer identification on unix domain (local) sockets
local   all             postgres             peer
local   all             all                        peer

# you need the following if you have dhis running on same machine as
database server
# because its java it can't use the unix domain sockets above, so we allow
direct non-ssl
# connection through tcp socket with password
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5

# special treatment for our appserver - it is in the same cabinet as the db
server connected via local backplane so we allow
# non-ssl connection from this machine only which is something of a speed
vs security tradeoff
host   all  all  192.168.1.102/32   md5

# allow MOH lan to connect but must use ssl
hostssl  all all  192.168.2.0/24  md5
# Only if you must - allow world to connect but definitely must use ssl
# I don't really like this, but frequently people want it because they want
to connect through various routes
# At the very least we insist on ssl
# hostssl  all all  0.0.0.0/0  md5

# This would be better, using ssl client cert, effectively equivalent to
Jason's openvpn
# It has the same headache of managing the distribution of client certs
# hostssl  all all  0.0.0.0/0  cert

Thats it.  At least it reflects my understanding of postgres access
settings.  Happy to accept improvements and/or clarifications.

Bob




On 4 March 2014 18:40, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:

> We have used OpenVPN/IPSec to allow direct access to the database for
> those users who need it. Therefore users do not need shell access and
> strong certificates can be used. This was viewed as a lower security risk
> than having PHP on the server or by opening up the database itself
> directly. Might also be a route to consider.
>
> Regards,
> Jason
>
> --Sent from my mobile
> On Mar 4, 2014 8:02 PM, "Bob Jolliffe" <bobjolliffe@xxxxxxxxx> wrote:
>
>> yes people talk highly of phpPgAdmin.  It has some small benefit over
>> pgadminIII that you don't have to explicitly open up your pg_hba.conf
>> settings to the full range of user/hosts which might connect.
>>
>> I guess it would be a simple enough app to embed phpPgAdmin into some
>> sort of iframe for integration with dhis ...
>>
>>
>> On 4 March 2014 16:16, Jason Pickering <jason.p.pickering@xxxxxxxxx>wrote:
>>
>>> Hi Greg,
>>> You may want to check out phpPgAdmin.
>>>
>>> PgAdminIII could also of course be used by directly connecting to the
>>> database with an ODBC connection.
>>>
>>> Regards,
>>> Jason
>>>
>>> --Sent from my mobile
>>> On Mar 4, 2014 12:26 PM, "Greg Rowles" <greg.rowles@xxxxxxxxx> wrote:
>>>
>>>> Hi Devs
>>>>
>>>> Is anyone aware of a web-based query gui-toolset? We have an 'IE'
>>>> designed tool here:
>>>>
>>>> http://hispsa.org/staging_timesheets/tablerels/viewtables.asp
>>>>
>>>> It only works on IE (sometimes) but at least allows users to see table
>>>> designs and edit SQL syntax. We're looking at something that we can plug-in
>>>> ontop of DHIS2 for our advanced users...
>>>>
>>>> Any responses will be appreciated...
>>>>
>>>> Thanks,
>>>> Greg
>>>> --
>>>>
>>>> Business Intelligence Planner
>>>> *Health Information Systems Programme*
>>>> *- - - - - - - **- - - - - - - **- - - - - - - **- - - - - - - **- - -
>>>> - - *
>>>> Mobile  :    073 246 2992
>>>> Landline:   021 554 3130
>>>> Fax:          086 733 8432
>>>>  Skype:      gregory_rowles
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>