Home / server / Questions / 1025027
In Process
TheCooocy
Asked: 2020-07-14 02:10:38 +0800 CST

Postgres authentication type "local" vs "host 127.0.0.1"

  • 772

I have a Postgres v10 Server to which only local connections will be established. In the documentation I find two methods to configure such an authentication process in pg_hba.conf: local and host with 127.0.0.1:

# Allow any user on the local system to connect to any database with
# any database user name using Unix-domain sockets (the default for local
# connections).
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
local   all             all                                     trust

# The same using local loopback TCP/IP connections.
#
# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    all             all             127.0.0.1/32            trust

Are there any best practices or security concerns over which type (Unix Domain Socket vs TCP/IP Socket) I should choose, as they seem to be both applicable to my usecase? Of course I will select another auth-method other than "trust".

authentication postgresql socket localhost

1 Answers

  1. Provided the database client supports it I would always prefer a connection over Unix domain socket for local connections for these reasons:

    • You can protect access to the Unix domain socket by file system restrictions (varys depending on your OS)
    • You can securely use a password-less access by using the Unix peer credentials
    • When allowing TCP access via 127.0.0.1 all local processes have access and thus you additionally have to use password authentication or similar (unless you use some rather exotic iptables plugins)
    • You can avoid the TCP overhead
    • 1