pg_hba.conf generator
Configure PostgreSQL client authentication with AI-guided access control rules
For people who need to set up or modify pg_hba.conf to control who can connect to their PostgreSQL database, which authentication method to use, and how to lock down access for production environments.
About this tool
PostgreSQL's host-based authentication file, pg_hba.conf, is the front door to your database. Every client connection is checked against this file from top to bottom, and the first matching rule wins — there is no deny-then-allow layering, no rule merging, and no second chances. A misconfigured pg_hba.conf can lock you out of your own database or, worse, leave it wide open to unauthorized access. Getting it right requires understanding connection types, authentication methods, network addressing, and the critical importance of rule ordering.
Each line in pg_hba.conf specifies a connection type (local, host, hostssl, hostnossl, or hostgssenc), a target database, a target role, an optional client address in CIDR notation, and an authentication method. The connection types determine the transport layer: local matches Unix domain socket connections only, host matches any TCP/IP connection regardless of encryption, hostssl requires TLS, hostnossl matches only unencrypted TCP, and hostgssenc (PostgreSQL 12+) requires GSSAPI encryption. Choosing the right connection type is the first layer of defense — in production, hostssl should be the default for all remote access.
This tool generates pg_hba.conf entries based on your specific access requirements. Describe who needs to connect (application servers, developers, replication standby nodes, monitoring agents), from where (local socket, specific IPs, CIDR ranges, entire subnets), to which databases and roles, and the tool produces correctly formatted rules with the appropriate authentication method — scram-sha-256 for password-based access, cert for mutual TLS, peer for local Unix socket connections, or reject to explicitly block unwanted access patterns. The CIDR notation for addresses follows standard conventions: /32 for a single IPv4 host, /24 for a 256-address subnet, /16 for a class B network, and 0.0.0.0/0 for all IPv4 addresses. IPv6 equivalents use ::1/128 for loopback and ::/0 for all addresses.
The tool follows the principle of least privilege throughout: it defaults to the narrowest access possible and only broadens rules when you explicitly require it. It warns against common mistakes like placing a broad 0.0.0.0/0 rule before a narrow subnet rule (which makes the narrow rule unreachable), using trust authentication in any network-facing context, or relying on the deprecated md5 method when scram-sha-256 is available. It also generates rules in the correct order — reject rules first, then narrow CIDR ranges before broad ones, with a catch-all reject at the bottom. Authentication methods are chosen based on the connection context: scram-sha-256 for general password-based access (the strongest password method, using a salted challenge-response protocol), cert for automated service-to-service connections where managing TLS certificates is feasible, peer for local DBA access where the operating system user identity provides sufficient assurance, and gss for Kerberos-integrated enterprise environments.
For production deployments, the tool emphasizes hostssl over plain host to enforce encrypted connections, recommends certificate-based authentication for service-to-service communication, and generates separate replication entries with dedicated replication roles. It also addresses common production patterns: separating application roles from administrative roles, restricting superuser login to local connections only, and configuring pg_ident.conf user name maps for environments where OS user names do not match database role names. For development environments, it produces permissive but still safe configurations — local peer authentication and scram-sha-256 for localhost, without opening the database to the entire network.
After generating your rules, the tool explains how to apply them safely: editing the file, verifying syntax with pg_hba_file_rules() (PostgreSQL 10+), and reloading with select pg_reload_conf() or pg_ctl reload — no full restart required unless you are changing SSL certificate paths in postgresql.conf. It also covers how pg_hba.conf interacts with pg_ident.conf for user name mapping and with SSL settings in postgresql.conf. PostgreSQL 16 introduced include, include_if_exists, and include_dir directives for splitting pg_hba.conf into multiple files — the tool can generate modular configurations using these directives when targeting PostgreSQL 16 or later.
- Never generate "trust" rules for TCP/IP connections — trust means no authentication, and any client matching the address can connect without a password
- Always recommend scram-sha-256 over md5 — md5 hashes stored in pg_authid are vulnerable to offline brute-force attacks
- Warn users before generating rules with 0.0.0.0/0 or ::/0 — these match every IPv4 or IPv6 address and should only appear in reject rules or behind SSL with strong auth
- Remind users to keep a working backup of pg_hba.conf before editing and to test from a separate session after reload to avoid lockout
Examples
# TYPE DATABASE USER ADDRESS METHOD
# Local connections — peer auth (OS user must match DB role)
local all postgres peer
local all all peer
# Localhost — password auth over loopback (dev and admin)
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
# Application servers — SSL required, app DB only
hostssl myapp_prod myapp_user 10.0.1.0/24 scram-sha-256
hostssl myapp_prod myapp_user 10.0.2.0/24 scram-sha-256
# Replication — dedicated role, SSL required
hostssl replication repl_user 10.0.10.11/32 scram-sha-256
hostssl replication repl_user 10.0.10.12/32 scram-sha-256
# Monitoring — read-only role, specific host
hostssl all monitor_user 10.0.5.20/32 scram-sha-256
# Reject everything else
host all all 0.0.0.0/0 reject
host all all ::/0 reject
A production-grade pg_hba.conf demonstrating layered access: local peer auth for the DBA, scram-sha-256 over SSL for application servers restricted to their database, dedicated replication entries with /32 masks, a monitoring role, and explicit catch-all reject rules at the bottom.
# Development environment — permissive but not reckless
local all all peer
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
host all all 192.168.0.0/16 scram-sha-256
A development pg_hba.conf that allows local and LAN access with password authentication. Note: even in development, trust is not used — scram-sha-256 costs nothing in convenience (password is cached by clients like psql via .pgpass) and prevents accidental exposure.
Inputs and outputs
What you provide
- Access requirements: roles, databases, source IPs or CIDR ranges
- Connection types needed: local, host, hostssl, replication
- Authentication preferences: scram-sha-256, cert, peer, or specific constraints
- PostgreSQL version (for method and feature compatibility)
What you get
- Complete pg_hba.conf rule block with aligned columns and comments
- Security analysis and warnings for each rule
- Step-by-step instructions for applying and verifying the configuration
Use cases
- Setting up initial pg_hba.conf for a new PostgreSQL production deployment with strict security requirements
- Configuring replication access for streaming replication standby servers with dedicated replication roles
- Migrating from md5 to scram-sha-256 authentication across all connection rules
- Restricting database access by application — ensuring each microservice can only reach its own database
- Configuring certificate-based authentication (hostssl with cert method) for zero-trust environments
- Setting up separate access rules for developers, applications, monitoring agents, and backup tools
Features
- Generates correctly ordered pg_hba.conf rules following first-match-wins semantics
- Defaults to scram-sha-256 and hostssl, following the principle of least privilege
- Validates CIDR notation and warns about overly broad network ranges
- Produces separate rule blocks for application access, replication, monitoring, and administrative use
- Explains each generated rule with inline comments describing its purpose
- Warns against insecure patterns: trust over TCP, md5 when scram-sha-256 is available, 0.0.0.0/0 without SSL
Frequently asked questions
What is the difference between host, hostssl, hostnossl, and hostgssenc in pg_hba.conf?
These connection type keywords control which TCP/IP connections a rule matches based on encryption status. host matches any TCP/IP connection, whether encrypted or not — it is the broadest and least secure option for remote access. hostssl matches only connections made over SSL/TLS, rejecting unencrypted attempts; this is the recommended default for production because it ensures data in transit is encrypted. hostnossl matches only unencrypted connections — it exists mainly to apply different auth methods to encrypted vs. unencrypted connections, but in practice you should rarely need it. hostgssenc (PostgreSQL 12+) matches connections encrypted with GSSAPI encryption, which is used in Kerberos environments. There is also local, which matches Unix domain socket connections only — these never traverse the network and are inherently safe from eavesdropping, making peer authentication a natural fit. For any rule that handles connections over a network (even a private one), prefer hostssl over host. If your PostgreSQL server has SSL configured (which it should for any production deployment), switching from host to hostssl costs nothing in performance and eliminates the possibility of an unencrypted connection slipping through.
How does rule ordering work in pg_hba.conf and why does it matter?
PostgreSQL evaluates pg_hba.conf rules strictly from top to bottom and uses the first rule that matches the connection's type, database, user, and address. There is no "best match" algorithm, no weighting, and no fallthrough — the first match is the only match. This first-match-wins behavior means rule ordering is critical for security. A common mistake is placing a broad rule like host all all 0.0.0.0/0 scram-sha-256 above a narrow reject rule like host all all 10.0.99.0/24 reject — the broad rule matches first, and the reject rule is never reached. The correct pattern is: place reject rules first, then the most specific allow rules (individual IPs with /32), then progressively broader subnet rules, and finally a catch-all reject at the bottom. Another ordering mistake involves the local keyword: local rules only match Unix socket connections and do not overlap with host rules at all, so their ordering relative to host lines does not matter — but ordering among multiple local rules still matters. When in doubt, test your configuration with select * from pg_hba_file_rules() (PostgreSQL 10+), which shows the parsed rules in evaluation order and flags any syntax errors without needing a reload.
When should I use scram-sha-256 vs. md5 vs. cert vs. peer authentication?
scram-sha-256 is the recommended password-based method for PostgreSQL 10+ and the default since PostgreSQL 14. It uses a salted challenge-response protocol that never sends the password over the wire (even without SSL) and stores only a cryptographic verifier in pg_authid, not a reversible hash. Use it for any connection that authenticates with a password. md5 is the legacy password method — it is weaker because the md5 hash stored in the catalog can be brute-forced offline, and the over-the-wire challenge can be replayed under certain conditions. Migrate away from md5 unless you have clients that do not support SCRAM. cert (client certificate authentication) is the strongest option for service-to-service connections: the client presents a TLS certificate signed by your CA, and PostgreSQL verifies it and extracts the common name (CN) as the user name. It eliminates passwords entirely and works well in automated deployments. peer is for local Unix socket connections only — it asks the OS kernel for the connecting process's user ID and matches it to a PostgreSQL role name (with optional mapping via pg_ident.conf). It is the natural choice for DBA access from the database server itself. Other methods: gss for Kerberos/Active Directory environments, ident for TCP connections where an ident server is running (rare today), reject to explicitly deny matching connections, and trust which should never appear in production — it grants access with no authentication whatsoever.
How do I apply pg_hba.conf changes without restarting PostgreSQL?
Changes to pg_hba.conf take effect after a configuration reload — you do not need a full server restart. The safest approach is: first, edit the file and save it. Second, verify the syntax before reloading by running select * from pg_hba_file_rules() (PostgreSQL 10+), which parses the file and shows any errors in the error column without applying the changes. Third, reload the configuration using one of these methods: from a SQL session run select pg_reload_conf(), from the command line run pg_ctl reload -D /path/to/data, or send a SIGHUP signal to the postmaster process. The reload is non-disruptive — existing connections are not dropped and continue using the authentication rule they originally matched. Only new connections will be evaluated against the updated rules. There is one exception: if you change SSL-related parameters in postgresql.conf (like ssl_cert_file or ssl_key_file), those also take effect on reload for new connections since PostgreSQL 9.1+, but changing the ssl parameter itself from off to on requires a restart. Always keep a backup of the working pg_hba.conf before editing, and test the reload from a separate session so you can revert if you accidentally lock yourself out.
Related tools
Ready to try it?
Use this tool for free — powered by PostgresAI.