Prerequisites & Setup
Install PostgreSQL, set up essential tools (psql, pgAdmin, DBeaver), and configure pg_hba.conf authentication.
Before diving into PostgreSQL, you need a working installation and a set of tools. This guide covers installation on all major platforms, essential client tools, and the critical pg_hba.conf authentication file.
Installation
macOS
# Using Homebrew (recommended)
brew install postgresql@16
brew services start postgresql@16
# Verify installation
psql --versionUbuntu / Debian
# Add PostgreSQL APT repository
sudo apt-get update
sudo apt-get install postgresql-16
# Start the service
sudo systemctl start postgresql
sudo systemctl enable postgresqlDocker
docker run --name pg-local \
-e POSTGRES_PASSWORD=secret \
-p 5432:5432 \
-d postgres:16-alpineEssential Tools
psql (CLI)
The official command-line client. It comes bundled with PostgreSQL and is the most powerful tool for administration and debugging.
# Connect to a local database
psql -U postgres -d mydb
# Common psql commands
\l -- List databases
\dt -- List tables
\d+ table -- Describe table with details
\timing -- Toggle query timing
\x -- Toggle expanded displaypgAdmin 4
A web-based GUI for PostgreSQL. Best for visual query building, monitoring dashboards, and managing multiple servers. Available on all platforms.
DBeaver
A universal database tool that supports PostgreSQL along with 80+ other databases. Excellent for developers who work with multiple database types. The Community Edition is free and open-source.
pg_hba.conf Configuration
The pg_hba.conf (Host-Based Authentication) file controls who can connect and how they authenticate. It is the first file you should understand after installation.
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
host all all 127.0.0.1/32 scram-sha-256
host all all ::1/128 scram-sha-256
host all all 192.168.1.0/24 scram-sha-256trust for remote connections in production. This allows passwordless access from the specified address range.| Pitfall | Symptom | Fix |
|---|---|---|
| Using trust for remote | Anyone on the network can connect without a password | Use scram-sha-256 or md5 for all non-local connections |
| Forgetting to reload | pg_hba.conf changes have no effect | Run: SELECT pg_reload_conf(); or restart PostgreSQL |
| Wrong line order | Earlier rule matches first, overriding intended rule | Put more specific rules before general ones |
| Missing localhost entry | Applications on the same machine cannot connect | Add host entry for 127.0.0.1/32 and ::1/128 |
Real-World Stories
Uber - pg_hba.conf Misconfiguration Exposes Internal Rider Data
In 2014, a security researcher discovered that Uber's PostgreSQL instance had overly permissive pg_hba.conf rules, allowing access from a broader IP range than intended. Combined with leaked credentials from a separate breach, attackers accessed a database containing 50,000 driver records. The root cause was a pg_hba.conf entry using 0.0.0.0/0 with md5 auth instead of restricting to specific VPC CIDR ranges.
GitLab - Docker PostgreSQL Setup Saves Migration
When GitLab migrated from MySQL to PostgreSQL in 2012, their Docker-based setup allowed the team to spin up dozens of test PostgreSQL instances to validate data migration scripts. Each developer could run a full PostgreSQL instance locally in seconds. The containerized approach caught 47 migration bugs before they hit production, and the team completed the full migration with zero data loss.