33.1. Database Connection Control Functions
The following functions deal with making a connection to aPostgreSQL backend server. An application program can have several backend connections open at one time. (One reason to do that is to access more than one database.) Each connection is represented by aPGconn object, which is obtained from the functionPQconnectdb,PQconnectdbParams, orPQsetdbLogin. Note that these functions will always return a non-null object pointer, unless perhaps there is too little memory even to allocate thePGconn object. ThePQstatus function should be called to check the return value for a successful connection before queries are sent via the connection object.
Warning
If untrusted users have access to a database that has not adopted asecure schema usage pattern, begin each session by removing publicly-writable schemas fromsearch_path. One can set parameter key wordoptions to value-csearch_path=. Alternately, one can issuePQexec( after connecting. This consideration is not specific tolibpq; it applies to every interface for executing arbitrary SQL commands.conn, "SELECT pg_catalog.set_config('search_path', '', false)")
Warning
On Unix, forking a process with open libpq connections can lead to unpredictable results because the parent and child processes share the same sockets and operating system resources. For this reason, such usage is not recommended, though doing anexec from the child process to load a new executable is safe.
PQconnectdbParamsMakes a new connection to the database server.
PGconn *PQconnectdbParams(const char * const *keywords, const char * const *values, int expand_dbname);
This function opens a new database connection using the parameters taken from two
NULL-terminated arrays. The first,keywords, is defined as an array of strings, each one being a key word. The second,values, gives the value for each key word. UnlikePQsetdbLoginbelow, the parameter set can be extended without changing the function signature, so use of this function (or its nonblocking analogsPQconnectStartParamsandPQconnectPoll) is preferred for new application programming.The currently recognized parameter key words are listed inSection 33.1.2.
The passed arrays can be empty to use all default parameters, or can contain one or more parameter settings. They must be matched in length. Processing will stop at the first
NULLentry in thekeywordsarray. Also, if thevaluesentry associated with a non-NULLkeywordsentry isNULLor an empty string, that entry is ignored and processing continues with the next pair of array entries.When
expand_dbnameis non-zero, the value for the firstdbnamekey word is checked to see if it is aconnection string. If so, it is“expanded” into the individual connection parameters extracted from the string. The value is considered to be a connection string, rather than just a database name, if it contains an equal sign (=) or it begins with a URI scheme designator. (More details on connection string formats appear inSection 33.1.1.) Only the first occurrence ofdbnameis treated in this way; any subsequentdbnameparameter is processed as a plain database name.In general the parameter arrays are processed from start to end. If any key word is repeated, the last value (that is not
NULLor empty) is used. This rule applies in particular when a key word found in a connection string conflicts with one appearing in thekeywordsarray. Thus, the programmer may determine whether array entries can override or be overridden by values taken from a connection string. Array entries appearing before an expandeddbnameentry can be overridden by fields of the connection string, and in turn those fields are overridden by array entries appearing afterdbname(but, again, only if those entries supply non-empty values).After processing all the array entries and any expanded connection string, any connection parameters that remain unset are filled with default values. If an unset parameter's corresponding environment variable (seeSection 33.14) is set, its value is used. If the environment variable is not set either, then the parameter's built-in default value is used.
PQconnectdbMakes a new connection to the database server.
PGconn *PQconnectdb(const char *conninfo);
This function opens a new database connection using the parameters taken from the string
conninfo.The passed string can be empty to use all default parameters, or it can contain one or more parameter settings separated by whitespace, or it can contain aURI. SeeSection 33.1.1 for details.
PQsetdbLoginMakes a new connection to the database server.
PGconn *PQsetdbLogin(const char *pghost, const char *pgport, const char *pgoptions, const char *pgtty, const char *dbName, const char *login, const char *pwd);
This is the predecessor of
PQconnectdbwith a fixed set of parameters. It has the same functionality except that the missing parameters will always take on default values. WriteNULLor an empty string for any one of the fixed parameters that is to be defaulted.If the
dbNamecontains an=sign or has a valid connectionURI prefix, it is taken as aconninfostring in exactly the same way as if it had been passed toPQconnectdb, and the remaining parameters are then applied as specified forPQconnectdbParams.PQsetdbMakes a new connection to the database server.
PGconn *PQsetdb(char *pghost, char *pgport, char *pgoptions, char *pgtty, char *dbName);
This is a macro that calls
PQsetdbLoginwith null pointers for theloginandpwdparameters. It is provided for backward compatibility with very old programs.PQconnectStartParamsPQconnectStartPQconnectPollMake a connection to the database server in a nonblocking manner.
PGconn *PQconnectStartParams(const char * const *keywords, const char * const *values, int expand_dbname);PGconn *PQconnectStart(const char *conninfo);PostgresPollingStatusType PQconnectPoll(PGconn *conn);
These three functions are used to open a connection to a database server such that your application's thread of execution is not blocked on remote I/O whilst doing so. The point of this approach is that the waits for I/O to complete can occur in the application's main loop, rather than down inside
PQconnectdbParamsorPQconnectdb, and so the application can manage this operation in parallel with other activities.With
PQconnectStartParams, the database connection is made using the parameters taken from thekeywordsandvaluesarrays, and controlled byexpand_dbname, as described above forPQconnectdbParams.With
PQconnectStart, the database connection is made using the parameters taken from the stringconninfoas described above forPQconnectdb.Neither
PQconnectStartParamsnorPQconnectStartnorPQconnectPollwill block, so long as a number of restrictions are met:The
hostaddrparameter must be used appropriately to prevent DNS queries from being made. See the documentation of this parameter inSection 33.1.2 for details.If you call
PQtrace, ensure that the stream object into which you trace will not block.You must ensure that the socket is in the appropriate state before calling
PQconnectPoll, as described below.
To begin a nonblocking connection request, call
PQconnectStartorPQconnectStartParams. If the result is null, thenlibpq has been unable to allocate a newPGconnstructure. Otherwise, a validPGconnpointer is returned (though not yet representing a valid connection to the database). Next callPQstatus(conn). If the result isCONNECTION_BAD, the connection attempt has already failed, typically because of invalid connection parameters.If
PQconnectStartorPQconnectStartParamssucceeds, the next stage is to polllibpq so that it can proceed with the connection sequence. UsePQsocket(conn)to obtain the descriptor of the socket underlying the database connection. (Caution: do not assume that the socket remains the same acrossPQconnectPollcalls.) Loop thus: IfPQconnectPoll(conn)last returnedPGRES_POLLING_READING, wait until the socket is ready to read (as indicated byselect(),poll(), or similar system function). Then callPQconnectPoll(conn)again. Conversely, ifPQconnectPoll(conn)last returnedPGRES_POLLING_WRITING, wait until the socket is ready to write, then callPQconnectPoll(conn)again. On the first iteration, i.e., if you have yet to callPQconnectPoll, behave as if it last returnedPGRES_POLLING_WRITING. Continue this loop untilPQconnectPoll(conn)returnsPGRES_POLLING_FAILED, indicating the connection procedure has failed, orPGRES_POLLING_OK, indicating the connection has been successfully made.At any time during connection, the status of the connection can be checked by calling
PQstatus. If this call returnsCONNECTION_BAD, then the connection procedure has failed; if the call returnsCONNECTION_OK, then the connection is ready. Both of these states are equally detectable from the return value ofPQconnectPoll, described above. Other states might also occur during (and only during) an asynchronous connection procedure. These indicate the current stage of the connection procedure and might be useful to provide feedback to the user for example. These statuses are:CONNECTION_STARTEDWaiting for connection to be made.
CONNECTION_MADEConnection OK; waiting to send.
CONNECTION_AWAITING_RESPONSEWaiting for a response from the server.
CONNECTION_AUTH_OKReceived authentication; waiting for backend start-up to finish.
CONNECTION_SSL_STARTUPNegotiating SSL encryption.
CONNECTION_SETENVNegotiating environment-driven parameter settings.
CONNECTION_CHECK_WRITABLEChecking if connection is able to handle write transactions.
CONNECTION_CONSUMEConsuming any remaining response messages on connection.
Note that, although these constants will remain (in order to maintain compatibility), an application should never rely upon these occurring in a particular order, or at all, or on the status always being one of these documented values. An application might do something like this:
switch(PQstatus(conn)){ case CONNECTION_STARTED: feedback = "Connecting..."; break; case CONNECTION_MADE: feedback = "Connected to server..."; break;... default: feedback = "Connecting...";}The
connect_timeoutconnection parameter is ignored when usingPQconnectPoll; it is the application's responsibility to decide whether an excessive amount of time has elapsed. Otherwise,PQconnectStartfollowed by aPQconnectPollloop is equivalent toPQconnectdb.Note that when
PQconnectStartorPQconnectStartParamsreturns a non-null pointer, you must callPQfinishwhen you are finished with it, in order to dispose of the structure and any associated memory blocks. This must be done even if the connection attempt fails or is abandoned.PQconndefaultsReturns the default connection options.
PQconninfoOption *PQconndefaults(void);typedef struct{ char *keyword; /* The keyword of the option */ char *envvar; /* Fallback environment variable name */ char *compiled; /* Fallback compiled in default value */ char *val; /* Option's current value, or NULL */ char *label; /* Label for field in connect dialog */ char *dispchar; /* Indicates how to display this field in a connect dialog. Values are: "" Display entered value as is "*" Password field - hide value "D" Debug option - don't show by default */ int dispsize; /* Field size in characters for dialog */} PQconninfoOption;Returns a connection options array. This can be used to determine all possible
PQconnectdboptions and their current default values. The return value points to an array ofPQconninfoOptionstructures, which ends with an entry having a nullkeywordpointer. The null pointer is returned if memory could not be allocated. Note that the current default values (valfields) will depend on environment variables and other context. A missing or invalid service file will be silently ignored. Callers must treat the connection options data as read-only.After processing the options array, free it by passing it to
PQconninfoFree. If this is not done, a small amount of memory is leaked for each call toPQconndefaults.PQconninfoReturns the connection options used by a live connection.
PQconninfoOption *PQconninfo(PGconn *conn);
Returns a connection options array. This can be used to determine all possible
PQconnectdboptions and the values that were used to connect to the server. The return value points to an array ofPQconninfoOptionstructures, which ends with an entry having a nullkeywordpointer. All notes above forPQconndefaultsalso apply to the result ofPQconninfo.PQconninfoParseReturns parsed connection options from the provided connection string.
PQconninfoOption *PQconninfoParse(const char *conninfo, char **errmsg);
Parses a connection string and returns the resulting options as an array; or returns
NULLif there is a problem with the connection string. This function can be used to extract thePQconnectdboptions in the provided connection string. The return value points to an array ofPQconninfoOptionstructures, which ends with an entry having a nullkeywordpointer.All legal options will be present in the result array, but the
PQconninfoOptionfor any option not present in the connection string will havevalset toNULL; default values are not inserted.If
errmsgis notNULL, then*errmsgis set toNULLon success, else to amalloc'd error string explaining the problem. (It is also possible for*errmsgto be set toNULLand the function to returnNULL; this indicates an out-of-memory condition.)After processing the options array, free it by passing it to
PQconninfoFree. If this is not done, some memory is leaked for each call toPQconninfoParse. Conversely, if an error occurs anderrmsgis notNULL, be sure to free the error string usingPQfreemem.PQfinishCloses the connection to the server. Also frees memory used by the
PGconnobject.void PQfinish(PGconn *conn);
Note that even if the server connection attempt fails (as indicated by
PQstatus), the application should callPQfinishto free the memory used by thePGconnobject. ThePGconnpointer must not be used again afterPQfinishhas been called.PQresetResets the communication channel to the server.
void PQreset(PGconn *conn);
This function will close the connection to the server and attempt to establish a new connection, using all the same parameters previously used. This might be useful for error recovery if a working connection is lost.
PQresetStartPQresetPollReset the communication channel to the server, in a nonblocking manner.
int PQresetStart(PGconn *conn);PostgresPollingStatusType PQresetPoll(PGconn *conn);
These functions will close the connection to the server and attempt to establish a new connection, using all the same parameters previously used. This can be useful for error recovery if a working connection is lost. They differ from
PQreset(above) in that they act in a nonblocking manner. These functions suffer from the same restrictions asPQconnectStartParams,PQconnectStartandPQconnectPoll.To initiate a connection reset, call
PQresetStart. If it returns 0, the reset has failed. If it returns 1, poll the reset usingPQresetPollin exactly the same way as you would create the connection usingPQconnectPoll.PQpingParamsPQpingParamsreports the status of the server. It accepts connection parameters identical to those ofPQconnectdbParams, described above. It is not necessary to supply correct user name, password, or database name values to obtain the server status; however, if incorrect values are provided, the server will log a failed connection attempt.PGPing PQpingParams(const char * const *keywords, const char * const *values, int expand_dbname);
The function returns one of the following values:
PQPING_OKThe server is running and appears to be accepting connections.
PQPING_REJECTThe server is running but is in a state that disallows connections (startup, shutdown, or crash recovery).
PQPING_NO_RESPONSEThe server could not be contacted. This might indicate that the server is not running, or that there is something wrong with the given connection parameters (for example, wrong port number), or that there is a network connectivity problem (for example, a firewall blocking the connection request).
PQPING_NO_ATTEMPTNo attempt was made to contact the server, because the supplied parameters were obviously incorrect or there was some client-side problem (for example, out of memory).
PQpingPQpingreports the status of the server. It accepts connection parameters identical to those ofPQconnectdb, described above. It is not necessary to supply correct user name, password, or database name values to obtain the server status; however, if incorrect values are provided, the server will log a failed connection attempt.PGPing PQping(const char *conninfo);
The return values are the same as for
PQpingParams.
33.1.1. Connection Strings
Severallibpq functions parse a user-specified string to obtain connection parameters. There are two accepted formats for these strings: plain keyword/value strings and URIs. URIs generally followRFC 3986, except that multi-host connection strings are allowed as further described below.
33.1.1.1. Keyword/Value Connection Strings
In the keyword/value format, each parameter setting is in the formkeyword=value, with space(s) between settings. Spaces around a setting's equal sign are optional. To write an empty value, or a value containing spaces, surround it with single quotes, for examplekeyword = 'a value'. Single quotes and backslashes within a value must be escaped with a backslash, i.e.,\' and\\.
Example:
host=localhost port=5432 dbname=mydb connect_timeout=10
The recognized parameter key words are listed inSection 33.1.2.
33.1.1.2. Connection URIs
The general form for a connectionURI is: TheURI scheme designator can be either Values that would normally appear in the hierarchical part of theURI can alternatively be given as named parameters. For example: All named parameters must match key words listed inSection 33.1.2, except that for compatibility with JDBC connectionURIs, instances of Percent-encoding may be used to include symbols with special meaning in any of theURI parts, e.g., replace The host part may be either a host name or an IP address. To specify an IPv6 address, enclose it in square brackets: The host part is interpreted as described for the parameterhost. In particular, a Unix-domain socket connection is chosen if the host part is either empty or looks like an absolute path name, otherwise a TCP/IP connection is initiated. Note, however, that the slash is a reserved character in the hierarchical part of the URI. So, to specify a non-standard Unix-domain socket directory, either omit the host part of the URI and specify the host as a named parameter, or percent-encode the path in the host part of the URI: It is possible to specify multiple host components, each with an optional port component, in a single URI. A URI of the formpostgresql://[
userspec@][hostspec][/dbname][?paramspec]whereuserspec is:user[:password]andhostspec is:[host][:port][,...]andparamspec is:name=value[&...]postgresql:// orpostgres://. Each of the remainingURI parts is optional. The following examples illustrate validURI syntax:postgresql://postgresql://localhostpostgresql://localhost:5433postgresql://localhost/mydbpostgresql://user@localhostpostgresql://user:secret@localhostpostgresql://other@localhost/otherdb?connect_timeout=10&application_name=myapppostgresql://host1:123,host2:456/somedb?target_session_attrs=any&application_name=myapp
postgresql:///mydb?host=localhost&port=5433
ssl=true are translated intosslmode=require.= with%3D.postgresql://[2001:db8::1234]/database
postgresql:///dbname?host=/var/lib/postgresqlpostgresql://%2Fvar%2Flib%2Fpostgresql/dbname
postgresql://host1:port1,host2:port2,host3:port3/ is equivalent to a connection string of the formhost=host1,host2,host3 port=port1,port2,port3. As further described below, each host will be tried in turn until a connection is successfully established.
33.1.1.3. Specifying Multiple Hosts
It is possible to specify multiple hosts to connect to, so that they are tried in the given order. In the Keyword/Value format, thehost,hostaddr, andport options accept comma-separated lists of values. The same number of elements must be given in each option that is specified, such that e.g., the firsthostaddr corresponds to the first host name, the secondhostaddr corresponds to the second host name, and so forth. As an exception, if only oneport is specified, it applies to all the hosts.
In the connection URI format, you can list multiplehost:port pairs separated by commas in thehost component of the URI.
In either format, a single host name can translate to multiple network addresses. A common example of this is a host that has both an IPv4 and an IPv6 address.
When multiple hosts are specified, or when a single host name is translated to multiple addresses, all the hosts and addresses will be tried in order, until one succeeds. If none of the hosts can be reached, the connection fails. If a connection is established successfully, but authentication fails, the remaining hosts in the list are not tried.
If a password file is used, you can have different passwords for different hosts. All the other connection options are the same for every host in the list; it is not possible to e.g., specify different usernames for different hosts.
33.1.2. Parameter Key Words
The currently recognized parameter key words are:
hostName of host to connect to. If a host name begins with a slash, it specifies Unix-domain communication rather than TCP/IP communication; the value is the name of the directory in which the socket file is stored. The default behavior when
hostis not specified, or is empty, is to connect to a Unix-domain socket in/tmp(or whatever socket directory was specified whenPostgreSQL was built). On machines without Unix-domain sockets, the default is to connect tolocalhost.A comma-separated list of host names is also accepted, in which case each host name in the list is tried in order; an empty item in the list selects the default behavior as explained above. SeeSection 33.1.1.3 for details.
hostaddrNumeric IP address of host to connect to. This should be in the standard IPv4 address format, e.g.,
172.28.40.9. If your machine supports IPv6, you can also use those addresses. TCP/IP communication is always used when a nonempty string is specified for this parameter.Using
hostaddrinstead ofhostallows the application to avoid a host name look-up, which might be important in applications with time constraints. However, a host name is required for GSSAPI or SSPI authentication methods, as well as forverify-fullSSL certificate verification. The following rules are used:If
hostis specified withouthostaddr, a host name lookup occurs. (When usingPQconnectPoll, the lookup occurs whenPQconnectPollfirst considers this host name, and it may causePQconnectPollto block for a significant amount of time.)If
hostaddris specified withouthost, the value forhostaddrgives the server network address. The connection attempt will fail if the authentication method requires a host name.If both
hostandhostaddrare specified, the value forhostaddrgives the server network address. The value forhostis ignored unless the authentication method requires it, in which case it will be used as the host name.
Note that authentication is likely to fail if
hostis not the name of the server at network addresshostaddr. Also, when bothhostandhostaddrare specified,hostis used to identify the connection in a password file (seeSection 33.15).A comma-separated list of
hostaddrvalues is also accepted, in which case each host in the list is tried in order. An empty item in the list causes the corresponding host name to be used, or the default host name if that is empty as well. SeeSection 33.1.1.3 for details.Without either a host name or host address,libpq will connect using a local Unix-domain socket; or on machines without Unix-domain sockets, it will attempt to connect to
localhost.portPort number to connect to at the server host, or socket file name extension for Unix-domain connections. If multiple hosts were given in the
hostorhostaddrparameters, this parameter may specify a comma-separated list of ports of the same length as the host list, or it may specify a single port number to be used for all hosts. An empty string, or an empty item in a comma-separated list, specifies the default port number established whenPostgreSQL was built.dbnameThe database name. Defaults to be the same as the user name. In certain contexts, the value is checked for extended formats; seeSection 33.1.1 for more details on those.
userPostgreSQL user name to connect as. Defaults to be the same as the operating system name of the user running the application.
passwordPassword to be used if the server demands password authentication.
passfileSpecifies the name of the file used to store passwords (seeSection 33.15). Defaults to
~/.pgpass, or%APPDATA%\postgresql\pgpass.confon Microsoft Windows. (No error is reported if this file does not exist.)connect_timeoutMaximum wait for connection, in seconds (write as a decimal integer, e.g.,
10). Zero, negative, or not specified means wait indefinitely. The minimum allowed timeout is 2 seconds, therefore a value of1is interpreted as2. This timeout applies separately to each host name or IP address. For example, if you specify two hosts andconnect_timeoutis 5, each host will time out if no connection is made within 5 seconds, so the total time spent waiting for a connection might be up to 10 seconds.client_encodingThis sets the
client_encodingconfiguration parameter for this connection. In addition to the values accepted by the corresponding server option, you can useautoto determine the right encoding from the current locale in the client (LC_CTYPEenvironment variable on Unix systems).optionsSpecifies command-line options to send to the server at connection start. For example, setting this to
-c geqo=offsets the session's value of thegeqoparameter tooff. Spaces within this string are considered to separate command-line arguments, unless escaped with a backslash (\); write\\to represent a literal backslash. For a detailed discussion of the available options, consultChapter 19.application_nameSpecifies a value for theapplication_name configuration parameter.
fallback_application_nameSpecifies a fallback value for theapplication_name configuration parameter. This value will be used if no value has been given for
application_namevia a connection parameter or thePGAPPNAMEenvironment variable. Specifying a fallback name is useful in generic utility programs that wish to set a default application name but allow it to be overridden by the user.keepalivesControls whether client-side TCP keepalives are used. The default value is 1, meaning on, but you can change this to 0, meaning off, if keepalives are not wanted. This parameter is ignored for connections made via a Unix-domain socket.
keepalives_idleControls the number of seconds of inactivity after which TCP should send a keepalive message to the server. A value of zero uses the system default. This parameter is ignored for connections made via a Unix-domain socket, or if keepalives are disabled. It is only supported on systems where
TCP_KEEPIDLEor an equivalent socket option is available, and on Windows; on other systems, it has no effect.keepalives_intervalControls the number of seconds after which a TCP keepalive message that is not acknowledged by the server should be retransmitted. A value of zero uses the system default. This parameter is ignored for connections made via a Unix-domain socket, or if keepalives are disabled. It is only supported on systems where
TCP_KEEPINTVLor an equivalent socket option is available, and on Windows; on other systems, it has no effect.keepalives_countControls the number of TCP keepalives that can be lost before the client's connection to the server is considered dead. A value of zero uses the system default. This parameter is ignored for connections made via a Unix-domain socket, or if keepalives are disabled. It is only supported on systems where
TCP_KEEPCNTor an equivalent socket option is available; on other systems, it has no effect.tcp_user_timeoutControls the number of milliseconds that transmitted data may remain unacknowledged before a connection is forcibly closed. A value of zero uses the system default. This parameter is ignored for connections made via a Unix-domain socket. It is only supported on systems where
TCP_USER_TIMEOUTis available; on other systems, it has no effect.ttyIgnored (formerly, this specified where to send server debug output).
replicationThis option determines whether the connection should use the replication protocol instead of the normal protocol. This is what PostgreSQL replication connections as well as tools such aspg_basebackup use internally, but it can also be used by third-party applications. For a description of the replication protocol, consultSection 52.4.
The following values, which are case-insensitive, are supported:
true,on,yes,1The connection goes into physical replication mode.
databaseThe connection goes into logical replication mode, connecting to the database specified in the
dbnameparameter.false,off,no,0The connection is a regular one, which is the default behavior.
In physical or logical replication mode, only the simple query protocol can be used.
gssencmodeThis option determines whether or with what priority a secureGSS TCP/IP connection will be negotiated with the server. There are three modes:
disableonly try a non-GSSAPI-encrypted connection
prefer(default)if there areGSSAPI credentials present (i.e., in a credentials cache), first try aGSSAPI-encrypted connection; if that fails or there are no credentials, try a non-GSSAPI-encrypted connection. This is the default whenPostgreSQL has been compiled withGSSAPI support.
requireonly try aGSSAPI-encrypted connection
gssencmodeis ignored for Unix domain socket communication. IfPostgreSQL is compiled without GSSAPI support, using therequireoption will cause an error, whilepreferwill be accepted butlibpq will not actually attempt aGSSAPI-encrypted connection.sslmodeThis option determines whether or with what priority a secureSSL TCP/IP connection will be negotiated with the server. There are six modes:
disableonly try a non-SSL connection
allowfirst try a non-SSL connection; if that fails, try anSSL connection
prefer(default)first try anSSL connection; if that fails, try a non-SSL connection
requireonly try anSSL connection. If a root CA file is present, verify the certificate in the same way as if
verify-cawas specifiedverify-caonly try anSSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA)
verify-fullonly try anSSL connection, verify that the server certificate is issued by a trustedCA and that the requested server host name matches that in the certificate
SeeSection 33.18 for a detailed description of how these options work.
sslmodeis ignored for Unix domain socket communication. IfPostgreSQL is compiled without SSL support, using optionsrequire,verify-ca, orverify-fullwill cause an error, while optionsallowandpreferwill be accepted butlibpq will not actually attempt anSSL connection.Note that ifGSSAPI encryption is possible, that will be used in preference toSSL encryption, regardless of the value of
sslmode. To force use ofSSL encryption in an environment that has workingGSSAPI infrastructure (such as a Kerberos server), also setgssencmodetodisable.requiresslThis option is deprecated in favor of the
sslmodesetting.If set to 1, anSSL connection to the server is required (this is equivalent to
sslmoderequire).libpq will then refuse to connect if the server does not accept anSSL connection. If set to 0 (default),libpq will negotiate the connection type with the server (equivalent tosslmodeprefer). This option is only available ifPostgreSQL is compiled with SSL support.sslcompressionIf set to 1, data sent over SSL connections will be compressed. If set to 0, compression will be disabled. The default is 0. This parameter is ignored if a connection without SSL is made.
SSL compression is nowadays considered insecure and its use is no longer recommended.OpenSSL 1.1.0 disables compression by default, and many operating system distributions disable it in prior versions as well, so setting this parameter to on will not have any effect if the server does not accept compression. On the other hand,OpenSSL before 1.0.0 does not support disabling compression, so this parameter is ignored with those versions, and whether compression is used depends on the server.
If security is not a primary concern, compression can improve throughput if the network is the bottleneck. Disabling compression can improve response time and throughput if CPU performance is the limiting factor.
sslcertThis parameter specifies the file name of the client SSL certificate, replacing the default
~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.sslkeyThis parameter specifies the location for the secret key used for the client certificate. It can either specify a file name that will be used instead of the default
~/.postgresql/postgresql.key, or it can specify a key obtained from an external“engine” (engines areOpenSSL loadable modules). An external engine specification should consist of a colon-separated engine name and an engine-specific key identifier. This parameter is ignored if an SSL connection is not made.sslrootcertThis parameter specifies the name of a file containing SSL certificate authority (CA) certificate(s). If the file exists, the server's certificate will be verified to be signed by one of these authorities. The default is
~/.postgresql/root.crt.sslcrlThis parameter specifies the file name of the SSL server certificate revocation list (CRL). Certificates listed in this file, if it exists, will be rejected while attempting to authenticate the server's certificate. The default is
~/.postgresql/root.crl.requirepeerThis parameter specifies the operating-system user name of the server, for example
requirepeer=postgres. When making a Unix-domain socket connection, if this parameter is set, the client checks at the beginning of the connection that the server process is running under the specified user name; if it is not, the connection is aborted with an error. This parameter can be used to provide server authentication similar to that available with SSL certificates on TCP/IP connections. (Note that if the Unix-domain socket is in/tmpor another publicly writable location, any user could start a server listening there. Use this parameter to ensure that you are connected to a server run by a trusted user.) This option is only supported on platforms for which thepeerauthentication method is implemented; seeSection 20.9.krbsrvnameKerberos service name to use when authenticating with GSSAPI. This must match the service name specified in the server configuration for Kerberos authentication to succeed. (See alsoSection 20.6.) The default value is normally
postgres, but that can be changed when buildingPostgreSQL via the--with-krb-srvnamoption ofconfigure. In most environments, this parameter never needs to be changed. Some Kerberos implementations might require a different service name, such as Microsoft Active Directory which requires the service name to be in upper case (POSTGRES).gsslibGSS library to use for GSSAPI authentication. Currently this is disregarded except on Windows builds that include both GSSAPI and SSPI support. In that case, set this to
gssapito cause libpq to use the GSSAPI library for authentication instead of the default SSPI.serviceService name to use for additional parameters. It specifies a service name in
pg_service.confthat holds additional connection parameters. This allows applications to specify only a service name so connection parameters can be centrally maintained. SeeSection 33.16.target_session_attrsIf this parameter is set to
read-write, only a connection in which read-write transactions are accepted by default is considered acceptable. The querySHOW transaction_read_onlywill be sent upon any successful connection; if it returnson, the connection will be closed. If multiple hosts were specified in the connection string, any remaining servers will be tried just as if the connection attempt had failed. The default value of this parameter,any, regards all connections as acceptable.