Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1wCWh5-0024Ob-2F
	for pgsql-admin@arkaria.postgresql.org;
	Tue, 14 Apr 2026 05:52:16 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-admin-owner+archive@lists.postgresql.org>)
	id 1wCWh4-00A42v-04
	for pgsql-admin@arkaria.postgresql.org;
	Tue, 14 Apr 2026 05:52:14 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <rolmur@gmail.com>)
	id 1wCWh3-00A42h-1o
	for pgsql-admin@lists.postgresql.org;
	Tue, 14 Apr 2026 05:52:14 +0000
Received: from mail-ua1-x92b.google.com ([2607:f8b0:4864:20::92b])
	by makus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.98.2)
	(envelope-from <rolmur@gmail.com>)
	id 1wCWh2-00000000vJa-18Tk
	for pgsql-admin@lists.postgresql.org;
	Tue, 14 Apr 2026 05:52:13 +0000
Received: by mail-ua1-x92b.google.com with SMTP id
 a1e0cc1a2514c-953a44f8404so1190158241.0
        for <pgsql-admin@lists.postgresql.org>;
 Mon, 13 Apr 2026 22:52:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1776145932; cv=none;
        d=google.com; s=arc-20240605;
        b=U6TSfYovnNfO4EGt8Sa+5STOAzRdbaCwSW+rr3VT1n/eB1avlmB/4EvrRs1cHZ5Wt7
         jFQlPP8u7PvUuMCn2pAVKz31KMXCwd2DykCvzNSNpQXW7Msvwbo9yw9cnSGvxRbbLZt+
         kneLcJBtCsx8qUQC4O4bI+ed2Dgog3tW5Qv92qCtsmxJArogxgVr9rYjpLkXELc7QVDk
         nV+NAW6Csayyi4HRqHYEv1h22S8sJhc1AprXFMXi5DfiIp3C/9NHAEluKk808b1PJXQa
         DYc6TXWd5luVHn94Xxmsat10f12AdW+AQdcPxqjePhQs97m3iQ03IWTqgTgK7HubEgcp
         2KuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=UAY3oOOjL4Kx1JSnTVKvdYWzDcFL999sntmlx6ltXyY=;
        fh=cdCNZ7YUk6+qyQWBbRyxOwAfFr1fxcfUi1PbnGVQjMs=;
        b=Xi5Ho7zcWi2QRMH2BbmojnhHryCcRuGFVgHN9j/zuUNW6kelNDmavm0Yxz2mdsXuSy
         3uufGnP+6AW/8aDBQZ8+guBH5kHmTonOvHsEdVq3sEByq1LcyOxJWBpjYeAQHjOKfxU4
         jzs08b1sP4xO1k0WP8RN71UKGKpGyYCRDqZMTvalgLHGUORkJLcmONNbEreRvvjN2ff1
         u8UFbaDNwv/+CjyTPYMcWT8JuCttDh1oNNjjFfHItZlufStufAOSyoJpb58/eFo/uwuD
         pPnKKRfaRPS2XuUfG89hcGdjeJH4SFhVynXFBjg4XmmQONQjKrpUpHODIzh4Nskq886l
         V45w==;
        darn=lists.postgresql.org
ARC-Authentication-Results: i=1; mx.google.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776145932; x=1776750732;
 darn=lists.postgresql.org;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=UAY3oOOjL4Kx1JSnTVKvdYWzDcFL999sntmlx6ltXyY=;
        b=QqfdDOr89MJJsGBygTebKkKiTeODoRgJI1I8QzghzGOeNYTFKUSa51AoCSgXhJWufN
         e1limlEfAv/Cpo07uCx3Ip8SsdK1D9wceghQQZ8kpEteBvKPN00iA5JeO2J019utVA4y
         WK4s3UJA8nhKE74XdmLBiS/dE8cd8qVr3tKRJoYi4wKRjYyC7trR4IA3xq4DNA2mOu6V
         IVuhXnCnYqo6lJCzXUlobvLOwP/ftgCJ9RgYifZglGCE6rRiLeYIXsVoztfZkKrJgMPE
         bI9N1ob8m0ILGDlLMiXZgnSvzk2tf8t+hGMmgN6DZzClpZwU6tI0rf9awRu3rhcd8AUX
         6jkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776145932; x=1776750732;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=UAY3oOOjL4Kx1JSnTVKvdYWzDcFL999sntmlx6ltXyY=;
        b=gdHJhG9M3+E1zepgpg9vdwokdataYsNA/H4SdaYfjHAp9039acD1368ul4rfXFsZ2c
         v0YGKWcs9rlrtn2eq6I45XuJKSXBTysRtUi94ksl/moYZqaVWAJR+JRitE6PBG/aM0Xr
         4ydJu61TEpck1Cr4hK3F584bYvMGdg2VlLV+k0pgFvJ8XCY031r67td3eE33Qeznl1Km
         qxSusIp8+S8AgH+APNeS2Jki65qg+EzhfeNIcF2o3OIK2eI+BsbVngrzPYO5K1JbufeU
         /Vkzv3e0i4NQzIfiL+zbdnJhiDwIpoaFU9v2nppuBa3sVj9sXa55OYDGyOitkrlIrUJK
         XBtg==
X-Gm-Message-State: AOJu0Ywpo3mHqJrLx/gU0W/1wuCpKqzcNS1fmL45H2zJO3NUJZIwoNg0
	udZr0YzF2zLG2/tdCJQb4dwMn3Zmfb/53rQ/bP4AL+ZfAbiSVTDsi6LcJcQpXYox8xp24UoTK+Q
	V9b4fQl1wU4kEKGIx+7vzE4hsq1sVBWI=
X-Gm-Gg: AeBDietU8GQko4XuvGdXoJ+W9+m3VmUsK8XyBIJI5xaQmH0vmS5ylcojfMgNL4BqK3z
	/DpukA3GjyYgDmQHtzZYUlvj6gNTJMiBqwLh6Kkxv5s41fq5dpLC2g3Y6gawvLGGjC3SMdVznqi
	mEy0cUr50xIqXC+cLTGVy7/CfoSzy3ssEbJIt9fC3MZLU2rqXpRDoQxfZdr620mv5T4k/+gK6AJ
	TK9baHSEdW4TTuMKmra4MbNnWYKD/QkU5AK4k+l2uQYZ+ruuwhIhBzld+TZ0QIV8mlK0Ova1TXl
	72lDfbQU
X-Received: by 2002:a05:6102:c47:b0:607:798d:8083 with SMTP id
 ada2fe7eead31-609ff8dd659mr6255989137.15.1776145931768; Mon, 13 Apr 2026
 22:52:11 -0700 (PDT)
MIME-Version: 1.0
References: <31b00cee-fc14-4872-aef1-f6151c7cd1ee@comcast.net>
In-Reply-To: <31b00cee-fc14-4872-aef1-f6151c7cd1ee@comcast.net>
From: =?UTF-8?Q?Roland_M=C3=BCller?= <rolmur@gmail.com>
Date: Tue, 14 Apr 2026 08:51:59 +0300
X-Gm-Features: AQROBzCzZlNm_r1LhgvsuwTG6q6xI6eSuvsnJHJbRdyHaWoph3oinI5yB8mVDKs
Message-ID: 
 <CA+8p0G2gDTZTqAV6d-5oEVc7i-ZgASqCCPWXUH+2CocVTLY=Ug@mail.gmail.com>
Subject: Re: sslmode - detecting local docker
To: AJ Weber <aweber@comcast.net>
Cc: pgsql-admin@lists.postgresql.org
Content-Type: multipart/alternative; boundary="00000000000055168a064f65337f"
List-Id: <pgsql-admin.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-admin@lists.postgresql.org>
List-Owner: <mailto:pgsql-admin-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-admin>
Archived-At: 
 <https://www.postgresql.org/message-id/CA%2B8p0G2gDTZTqAV6d-5oEVc7i-ZgASqCCPWXUH%2B2CocVTLY%3DUg%40mail.gmail.com>
Precedence: bulk

--00000000000055168a064f65337f
Content-Type: text/plain; charset="UTF-8"

With docker or podman you can list the networks and inspect them one by one
to get their subnets. This information could then be used in pg_hba.conf.

E.g. using podman , docker should be the same except name of the command:

$ podman network ls
NETWORK ID    NAME        DRIVER
2f259bab93aa  podman      bridge
$podman inspect  2f259bab93aa
...
          "subnets": [
               {
                    "subnet": "SOME_IP_NET/SOME_MASK",
                    "gateway": "SOME_IP_ADDR"
               }
          ],
...

Am Mo., 13. Apr. 2026 um 16:09 Uhr schrieb AJ Weber <aweber@comcast.net>:

> I'm trying to configure my custom JDBC connection to be as safe as
> practical.
>
> Years gone by, I would simply check if the URL (configured-property) had
> "localhost" in it, and do nothing. Recently I decided I'd check for
> localhost AND see if any "ssl" was explicitly already set in the URL.
> If not, I tried adding ssl=true as a connection param.  This fails when
> using a postgresql docker container, because they typically are not
> configured for SSL, but the hostname is also not "localhost".
>
> Besides changing my logic to add "sslmode=prefer" (instead of "true",
> which may be the default anyway), does anyone have a good way to
> determine if the JDBC URL is actually a docker container running on the
> same host?
>
> Currently running v16.x, but these modes haven't changed in a long time,
> so I suppose this question applies across currently supported versions.
>
> Thanks in advance,
>
> AJ
>
>
>
>

--00000000000055168a064f65337f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>With docker or podman you can list t=
he networks and inspect them one by one to get their subnets. This informat=
ion could then be used in=C2=A0pg_hba.conf.</div><div><br></div><div>E.g. u=
sing podman , docker should be the same except name of the command:</div><d=
iv><br></div><div>$ podman network ls</div><div>NETWORK ID =C2=A0 =C2=A0NAM=
E =C2=A0 =C2=A0 =C2=A0 =C2=A0DRIVER<br>2f259bab93aa =C2=A0podman =C2=A0 =C2=
=A0 =C2=A0bridge<br></div><div>$podman inspect=C2=A0
2f259bab93aa</div><div>...</div><div>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &qu=
ot;subnets&quot;: [<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0{<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 &quot;subnet&quot;: &quot;SOME_IP_NET/SOME_MASK&quot;,<br>=C2=A0 =C2=A0=
 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 &quot;gateway&quot=
;: &quot;SOME_IP_ADDR&quot;<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0}<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ],<br>...</div></div><=
br><div class=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=
=3D"gmail_attr">Am Mo., 13. Apr. 2026 um 16:09=C2=A0Uhr schrieb AJ Weber &l=
t;<a href=3D"mailto:aweber@comcast.net">aweber@comcast.net</a>&gt;:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex">I&#39;m trying to confi=
gure my custom JDBC connection to be as safe as <br>
practical.<br>
<br>
Years gone by, I would simply check if the URL (configured-property) had <b=
r>
&quot;localhost&quot; in it, and do nothing. Recently I decided I&#39;d che=
ck for <br>
localhost AND see if any &quot;ssl&quot; was explicitly already set in the =
URL.=C2=A0 <br>
If not, I tried adding ssl=3Dtrue as a connection param.=C2=A0 This fails w=
hen <br>
using a postgresql docker container, because they typically are not <br>
configured for SSL, but the hostname is also not &quot;localhost&quot;.<br>
<br>
Besides changing my logic to add &quot;sslmode=3Dprefer&quot; (instead of &=
quot;true&quot;, <br>
which may be the default anyway), does anyone have a good way to <br>
determine if the JDBC URL is actually a docker container running on the <br=
>
same host?<br>
<br>
Currently running v16.x, but these modes haven&#39;t changed in a long time=
, <br>
so I suppose this question applies across currently supported versions.<br>
<br>
Thanks in advance,<br>
<br>
AJ<br>
<br>
<br>
<br>
</blockquote></div></div>

--00000000000055168a064f65337f--