Support suffix matching of host names in pg_hba.conf

A name starting with a dot can be used to match a suffix of the actual host name (e.g., .example.com matches foo.example.com).
2025-07-28 23:42:10 +03:00 · 2010-10-24 15:54:00 +03:00
parent dd1587089c
commit 24b29ca8f9
3 changed files with 43 additions and 2 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -282,6 +282,14 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
       to resolve an IP address.)
      </para>

+      <para>
+       A host name specification that starts with a dot
+       (<literal>.</literal>) matches a suffix of the actual host
+       name.  So <literal>.example.com</literal> would match
+       <literal>foo.example.com</literal> (but not just
+       <literal>example.com</literal>).
+      </para>
+
      <para>
       When host names are specified
       in <filename>pg_hba.conf</filename>, you should make sure that
@ -310,6 +318,12 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        everyone's problem.
       </para>

+       <para>
+        Also, a reverse lookup is necessary to implement the suffix
+        matching feature, because the actual client host name needs to
+        be known in order to match it against the pattern.
+       </para>
+
       <para>
        Note that this behavior is consistent with other popular
        implementations of host name-based access control, such as the
@ -605,6 +619,12 @@ host    postgres        all             192.168.93.0/24         ident
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host    postgres        all             192.168.12.10/32        md5

+# Allow any user from hosts in the example.com domain to connect to
+# any database if the user's password is correctly supplied.
+#
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+host    all             all             .example.com            md5
+
 # In the absence of preceding "host" lines, these two lines will
 # reject all connections from 192.168.54.1 (since that entry will be
 # matched first), but allow Kerberos 5 connections from anywhere else