我有一个运行的微型免费层RHEL 6实例,并使用yum指令安装了postgresql 9.2: http://yum.pgrpms.org/howtoyum.php
我可以使用服务器本地连接到PG服务器:
03:46:20 root@xxx[~]$ psql -hlocalhost -p5432 -Upostgres
但是我从来没有成功地在盒子外连接它。错误消息如下所示:
12:11:56 saladinxu@GoodOldMBP[~]$ psql -h ec2-xxx.ap-southeast-1.compute.amazonaws.com -p5432 -Upostgres
psql: could not connect to server: Connection refused
Is the server running on host "ec2-54-251-188-3.ap-southeast-1.compute.amazonaws.com" (54.251.188.3) and accepting TCP/IP connections on port 5432?
我尝试了很多不同的方法。以下是我的配置文件现在的样子:
/var/lib/pgsql/9.2/data/postgresql.conf:
...
# - Connection Settings -
listen_addresses = '*' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
...
/var/lib/pgsql/9.2/data/pg_hba.conf:
# TYPE DATABASE USER ADDRESS METHOD
host all pgadmin 0.0.0.0/24 trust
host all all [my ip]/24 md5
# "local" is for Unix domain socket connections only
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
我已尝试将上述地址设为0.0.0.0/0,但ID无效。
每次我做出更改,我都会通过运行
重新启动service postgresql-9.2 restart
在此EC2实例的安全组中,我可以看到此规则:
TCP
Port (Service) Source Action
22 (SSH) 0.0.0.0/0 Delete
80 (HTTP) 0.0.0.0/0 Delete
5432 0.0.0.0/0 Delete
netstat命令显示端口已打开:
04:07:46 root@ip-172-31-26-139[~]$ netstat -na|grep 5432
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 :::5432 :::* LISTEN
unix 2 [ ACC ] STREAM LISTENING 14365 /tmp/.s.PGSQL.5432
回答bma的问题:
如果我在本地服务器上运行nmap命令,似乎建议通过内部DNS进入另一个5432已打开的主机:
10:16:05 root@ip-172-31-26-139[~]$ nmap -Pnv -p 5432 ec2-54-251-188-3.ap-southeast-1.compute.amazonaws.com
Starting Nmap 5.51 ( http://nmap.org ) at 2013-07-22 10:16 EDT
Nmap scan report for ec2-54-251-188-3.ap-southeast-1.compute.amazonaws.com (172.31.26.139)
Host is up (0.00012s latency).
rDNS record for 172.31.26.139: ip-172-31-26-139.ap-southeast-1.compute.internal
PORT STATE SERVICE
5432/tcp open postgresql
Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds
iptables命令提供以下输出
10:16:14 root@ip-172-31-26-139[~]$ iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25776 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
45 1801 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
251 15008 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
35 2016 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 21695 packets, 5138K bytes)
pkts bytes target prot opt in out source destination
[根据bma的建议加入后编辑]
新增加后,iptables看起来像这样:
11:57:20 root@ip-172-31-26-139[~]$ iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
26516 14M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
47 1885 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
255 15236 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
38 2208 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
0 0 ACCEPT tcp -- * * [my ip] 54.251.188.3 tcp spts:1024:65535 dpt:5432 state NEW,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 54.251.188.3 tcp spt:5432 dpts:1024:65535 state ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 5 packets, 1124 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 54.251.188.3 [my ip] tcp spt:5432 dpts:1024:65535 state ESTABLISHED
0 0 ACCEPT tcp -- * * 54.251.188.3 0.0.0.0/0 tcp spts:1024:65535 dpt:5432 state NEW,ESTABLISHED
但是我仍然无法连接(同样的错误)。这里可能缺少什么?
答案 0 :(得分:6)
我找到了解决这个问题的方法。 需要做两件事。
使用文本编辑器修改pg_hba.conf。找到该行:
host all all 127.0.0.1/0 md5.
紧接其下方,添加以下新行:
host all all 0.0.0.0/0 md5
编辑PostgreSQL postgresql.conf文件:
使用文本编辑器修改postgresql.conf。
找到以#listen_addresses = 'localhost'开头的行。
删除#取消注释该行,并将'localhost'更改为'*'。
这条线现在应该是这样的:
listen_addresses = '*' # what IP address(es) to listen on;.
现在只需重启你的postgres服务即可连接
答案 1 :(得分:2)
你有防火墙阻塞端口5432吗?快速nmap显示它正在被过滤。
nmap -Pnv -p 5432 ec2-54-251-188-3.ap-southeast-1.compute.amazonaws.com
Starting Nmap 6.00 ( http://nmap.org ) at 2013-07-21 11:05 PDT
Nmap scan report for ec2-54-251-188-3.ap-southeast-1.compute.amazonaws.com (54.251.188.3)
Host is up (0.19s latency).
PORT STATE SERVICE
5432/tcp filtered postgresql
您的EC2上的iptables对端口5432显示了什么?
iptables -nvL
[在OP之后添加了更多细节]
Netstat显示它正在侦听,但防火墙输出看起来并不像5432端口是打开的(我承认不是网络人员)。参考以前安装的一些笔记,您可能需要打开EC2端口5432到您的IP。
要允许输入防火墙访问,请将YOUR-REMOTE-IP替换为您所连接的IP:
iptables -A INPUT -p tcp -s YOUR-REMOTE-IP --sport 1024:65535 -d 54.251.188.3 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 54.251.188.3 --sport 5432 -d YOUR-REMOTE-IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
- 出站访问
iptables -A OUTPUT -p tcp -s 54.251.188.3 --sport 1024:65535 -d 0/0 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 5432 -d 54.251.188.3 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
之后iptables -nvL列出了什么。你能连接吗?
答案 2 :(得分:0)
看起来你的pg_hba.conf在组名后面错过了“+”。尝试
# TYPE DATABASE USER ADDRESS METHOD
host all pgadmin+ 0.0.0.0/24 trust
host all all [my ip]/24 md5
pg_hba.conf解释了用户:
值all指定它匹配所有用户。否则,这可以是特定数据库用户的名称,也可以是以+开头的组名称。 (回想一下,PostgreSQL中的用户和组之间没有真正的区别; +标记实际上意味着“匹配直接或间接成为此角色的任何角色”,而没有+标记的名称仅匹配该特定角色。 )