A default PostgreSQL installation on RHEL 8 only accepts connections from the local machine over a Unix socket. To allow client applications on other hosts to connect, you must configure the server to listen on a network interface, update the host-based authentication file, open the firewall port, and enable SSL so that credentials and data travel over an encrypted channel. This tutorial covers every configuration file and command needed to set up remote access with TLS on PostgreSQL 14 or later.

Prerequisites

  • RHEL 8 server with PostgreSQL installed via dnf and the postgresql service initialised (postgresql-setup --initdb)
  • A second host or VM to act as the remote client with psql installed
  • sudo or root access on the server
  • Basic knowledge of PostgreSQL roles and databases

Step 1 — Configure postgresql.conf to Listen on the Network

By default listen_addresses is set to localhost, which causes PostgreSQL to accept only local socket and loopback connections. Edit the main configuration file to change this to '*' (all interfaces) or to a specific IP address if you prefer a tighter binding.

sudo nano /var/lib/pgsql/data/postgresql.conf

Find and update the following line (remove the leading # to uncomment it):

listen_addresses = '*'

While the file is open, also verify that the port directive is set to 5432 (the default).

Step 2 — Update pg_hba.conf to Allow Remote Connections

The host-based authentication file controls which hosts may connect, which users are permitted, and which authentication method is required. Add a line that permits remote clients to authenticate using scram-sha-256 (preferred on PostgreSQL 14+) or md5 for older clients. Each field is separated by whitespace: type, database, user, address, method.

sudo nano /var/lib/pgsql/data/pg_hba.conf

Append the following line at the end of the file. Replace the CIDR range with the subnet or specific IP of your client(s).

# Allow remote connections from the application subnet using SCRAM-SHA-256
host    all             all             192.168.1.0/24          scram-sha-256

# To allow any host (not recommended for production without additional firewall rules):
# host    all             all             0.0.0.0/0               scram-sha-256

Step 3 — Open the Firewall Port

RHEL 8 uses firewalld as its default firewall manager. Add a permanent rule for TCP port 5432 and reload the firewall to apply the change without dropping existing connections.

sudo firewall-cmd --permanent --add-port=5432/tcp
sudo firewall-cmd --reload

# Confirm the rule is active
sudo firewall-cmd --list-ports

Step 4 — Generate a Self-Signed Certificate for SSL

PostgreSQL expects the server certificate at server.crt and the private key at server.key inside the data directory. Generate a self-signed certificate valid for one year. For production environments replace this with a certificate signed by a trusted CA.

cd /var/lib/pgsql/data

sudo -u postgres openssl req -new -x509 -days 365 -nodes 
  -out server.crt 
  -keyout server.key 
  -subj "/CN=postgres-server"

# PostgreSQL requires the key to be readable only by the postgres user
sudo chmod 600 /var/lib/pgsql/data/server.key
sudo chown postgres:postgres /var/lib/pgsql/data/server.{crt,key}

Step 5 — Enable SSL in postgresql.conf and Restart

Set ssl = on and point to the certificate files. Because the files reside in the data directory, relative paths are sufficient. After saving the configuration file, restart the service.

sudo nano /var/lib/pgsql/data/postgresql.conf

Set or uncomment the following directives:

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file  = 'server.key'
sudo systemctl restart postgresql

Step 6 — Test the Remote Connection

From the remote client machine, use psql with the sslmode=require parameter to confirm that the connection is encrypted. Replace the values with your server IP, database name, and username.

# Connect with SSL required
psql "host=203.0.113.10 port=5432 dbname=mydb user=myuser sslmode=require"

# Inside psql, confirm the SSL state
conninfo

The output of conninfo will state SSL connection (protocol: TLSv1.3, …) if encryption is active. To reject unencrypted connections outright, change scram-sha-256 to hostssl in pg_hba.conf and set sslmode=verify-full along with the CA certificate on the client.

Conclusion

You have configured PostgreSQL on RHEL 8 to accept remote connections by updating listen_addresses, adding a client record to pg_hba.conf, opening port 5432 through firewalld, generating a self-signed TLS certificate, and enabling SSL in postgresql.conf. The server now accepts encrypted remote connections and rejects plain-text ones when hostssl rules are in place.

Next steps: How to Set Up PostgreSQL Streaming Replication on RHEL 8, How to Back Up PostgreSQL with pg_dump and pg_basebackup on RHEL 8, and How to Secure MySQL on RHEL 8.