How to Configure PostgreSQL Remote Access and SSL on RHEL 7

By default, PostgreSQL on RHEL 7 only accepts connections from localhost and rejects all remote clients. For multi-tier applications where the web or application server runs on a separate host from the database, you need to explicitly open PostgreSQL to remote connections — and equally important, protect those connections with SSL/TLS encryption. This guide covers editing pg_hba.conf and postgresql.conf, opening the firewall for port 5432, enabling SSL with proper certificates, and verifying encrypted connectivity with the psql command-line client.

Prerequisites

  • RHEL 7 server with PostgreSQL installed (version 9.4, 9.6, or 10 from the PGDG or SCL repository)
  • Root or sudo access
  • PostgreSQL service running: sudo systemctl status postgresql-9.6
  • A remote client machine with psql installed for testing
  • Basic familiarity with PostgreSQL roles and databases

Step 1: Locate the PostgreSQL Data Directory

PostgreSQL stores its configuration files inside the data directory. The path depends on the version and how PostgreSQL was installed. For the PGDG PostgreSQL 9.6 package on RHEL 7:

ls /var/lib/pgsql/9.6/data/

You should see files including postgresql.conf, pg_hba.conf, and pg_ident.conf. If you installed via the Red Hat Software Collections (SCLO), the path may instead be:

/var/opt/rh/rh-postgresql96/lib/pgsql/data/

Confirm the active data directory from within PostgreSQL if unsure:

sudo -u postgres psql -c "SHOW data_directory;"

Step 2: Configure listen_addresses in postgresql.conf

The listen_addresses parameter controls which network interfaces PostgreSQL accepts connections on. Edit postgresql.conf:

sudo vi /var/lib/pgsql/9.6/data/postgresql.conf

Find the listen_addresses line (it may be commented out) and update it:

# To listen on all interfaces:
listen_addresses = '*'

# Or to listen only on a specific private IP:
listen_addresses = '10.0.0.5'

Using '*' is convenient during initial setup, but in production it is preferable to specify the exact IP address of the interface that faces your application servers, leaving public-facing interfaces excluded.

Also confirm the default port (5432) is set:

port = 5432

Step 3: Add a Host Entry in pg_hba.conf

PostgreSQL uses pg_hba.conf (host-based authentication) to decide which hosts may connect, which users, to which databases, and with what authentication method. The file is processed top to bottom, and the first matching rule wins.

sudo vi /var/lib/pgsql/9.6/data/pg_hba.conf

Add a line at the bottom (or after the existing local entries) for your remote application server. For password-based access from a specific subnet:

# TYPE  DATABASE        USER            ADDRESS                 METHOD
host    appdb           appuser         10.0.0.0/24             md5

To require SSL for the remote connection, use the hostssl type instead of host:

hostssl appdb           appuser         10.0.0.0/24             md5

The hostssl type will reject any connection attempt that does not use SSL, providing an additional layer of enforcement beyond the server-level SSL setting.

Common pg_hba.conf authentication methods:

  • md5 — MD5-hashed password (widely supported)
  • scram-sha-256 — Stronger password method (PostgreSQL 10+)
  • reject — Explicitly deny the connection
  • trust — No password required (only use for local socket connections in controlled environments)

Step 4: Open the Firewall for Port 5432

RHEL 7 uses firewalld by default. Open port 5432, optionally restricting it to your application server’s IP or subnet for tighter security:

# Allow from entire private subnet
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port port="5432" protocol="tcp" accept'
sudo firewall-cmd --reload

To open it to all hosts (less secure, for testing only):

sudo firewall-cmd --permanent --add-port=5432/tcp
sudo firewall-cmd --reload

Verify the rule was applied:

sudo firewall-cmd --list-all

Step 5: Enable SSL in PostgreSQL

PostgreSQL supports native SSL/TLS. You need an SSL certificate and key placed in the data directory. For production, use a certificate signed by your internal CA or a trusted public CA. For testing, generate a self-signed certificate:

sudo -u postgres openssl req -new -x509 -days 365 -nodes 
  -text -out /var/lib/pgsql/9.6/data/server.crt 
  -keyout /var/lib/pgsql/9.6/data/server.key 
  -subj "/CN=pgserver.example.com"

Set strict permissions on the key file (PostgreSQL refuses to start if the key is world-readable):

sudo chmod 600 /var/lib/pgsql/9.6/data/server.key
sudo chown postgres:postgres /var/lib/pgsql/9.6/data/server.key /var/lib/pgsql/9.6/data/server.crt

Edit postgresql.conf to enable SSL and point to the certificate files:

ssl = on
ssl_cert_file = 'server.crt'
ssl_key_file  = 'server.key'

# Optional: require clients to present a certificate
# ssl_ca_file = 'root.crt'

Note: the paths for ssl_cert_file and ssl_key_file are relative to the data directory unless you specify an absolute path.

Step 6: Restart PostgreSQL and Verify

Apply all configuration changes by restarting the service:

sudo systemctl restart postgresql-9.6
sudo systemctl status postgresql-9.6

Check the PostgreSQL log for any SSL errors:

sudo tail -50 /var/lib/pgsql/9.6/data/pg_log/postgresql-*.log

Confirm PostgreSQL is listening on the expected address and port:

ss -tlnp | grep 5432

Step 7: Test Remote Connection with psql

From your remote application server or client machine, test the connection. First, without SSL to confirm basic connectivity:

psql -h 10.0.0.5 -U appuser -d appdb

To test with SSL explicitly enabled:

psql "host=10.0.0.5 user=appuser dbname=appdb sslmode=require"

Once connected, verify the SSL status of the current session:

appdb=> conninfo

You should see output similar to:

You are connected to database "appdb" as user "appuser" on host "10.0.0.5" at port "5432".
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)

If you used hostssl in pg_hba.conf and a client tries to connect without SSL (sslmode=disable), the connection will be refused — exactly the intended behavior.

Conclusion

Enabling remote access and SSL for PostgreSQL on RHEL 7 requires coordinated changes across postgresql.conf, pg_hba.conf, the system firewall, and the SSL certificate infrastructure. By binding PostgreSQL to the correct network interface, restricting access via pg_hba.conf to known hosts and users, opening only the specific firewall rule needed, and enforcing SSL with the hostssl connection type, you achieve both the connectivity your application needs and the security posture your infrastructure demands. Always prefer certificate-based SSL over plain host entries for any network that extends beyond a single trusted host.