gnumed-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnumed-devel] Re: GNUmed (debian) servers and security


From: Karsten Hilbert
Subject: Re: [Gnumed-devel] Re: GNUmed (debian) servers and security
Date: Mon, 28 Jan 2008 16:09:54 +0100
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

On Sun, Jan 27, 2008 at 10:08:31PM -0800, James Busser wrote:

> Partly, I am thinking that when trying to access GNUmed from inside a  
> hospital, many hospitals are strict about port egress. It is possible  
> that they may allow only ports 80 and 443.
>
> Would it therefore work to configure a client (that needed to connect  
> from inside a hospital) to connect to a GNUmed server on port 443?
Yes. One sets the port to 443 in the relevant profile in the
config file.

> This 
> scenario would require that the server has port redirection set up, to 
> forward the incoming request to Postgres port 5432. (?)
Yes, or else it could (should) be a third machine outside
the hospital in front of the database server. To "properly"
do this by conventional wisdom one would setup the PG server
inside the De-Militarized Zone of the target network and
have port redirection 443 -> 5432 inside a fence host at the
border between outside and DMZ.

> For the SSL to be supported, must Apache be used, and must it perhaps be 
> added to postgres as a user?
Neither. PostgreSQL must be linked against OpenSSL at
compile time.

> By the way, does GNUmed set Postgres to use non-trust authentication  
> and, for passwords, do GNUmed/postgres authenticate using md5, crypt or 
> password (hopefully md5) :-)
We can't say this often enough: GNUmed does NOT require
Postgres to use any specific authentication method. In fact,
it doesn't care *how* it gets in. It fully defers that
decision to the PostgreSQL admin who *must chose* locally
suitable values.

The only assumption GNUmed makes of the server configuration
is that "any role in the groups "gm-logins" and "gnumed_vX"
(whatever X is at the time) can connect" and it is prepared
to supply a password if need be.

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346




reply via email to

[Prev in Thread] Current Thread [Next in Thread]