I have a pgsql9.4 server running on centos with a pg_hba.conf to accept md5 connections from a certain range of IPs. With IPs redacted, my pg_hba.conf file looks like the following:
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all ident
# IPv4 local connections:
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 ident
#host replication postgres ::1/128 ident
#local #DBNAME# #USERNAME# md5
#host #DBNAME# #USERNAME# ###.###.###.0/24 md5
This configuration works great for IPs in the range of xxx.xx.xx.0 through xxx.xx.xx.24. However, when I try to increase it to accommodate access from a server on a higher IP number (112) and try to restart the postgres service, the service fails on restart.
I tried creeping the number up from 0/25 and made it up to a number which runs our puppet server.
I also tried adding a second, identical record to encompass just the IP range 111/112 but to no avail.
Anyone have any ideas as to why Postgres might consider these to be an invalid pg_hba.conf?
EDIT: Forgot to mention that listen_addresses is set to '*' so that access can be controlled user-by-user inside of pg_hba.conf
Best Answer
That host information is the CIDR notation, when you use
172.16.33.0/24
you are not giving the range from 0 to 24, you are, in fact, giving the range from172.16.33.1
to172.16.33.254
(read CIDR blocks to understand better why).ipcalc
tool can help you identify that:So,
172.16.33.0/24
already includes172.16.33.111` and
172.16.33.112, meaning you don't need to do anything else in
pg_hba.confbut add the line with
172.16.33.0/24`.