Unable to connect to MySQL database on same server
Hello Experts!
I need one of your mysql gurus to help me figure out a problem with connecting to a mysql database on the same server as a website I have.
I have two websites, each with its own database and each with its own IP address, both on the same server. I am unable to connect from one site using the IP address of the other. I have checked that database's my.cnf and I have both bind-address set up for the ip address of the site I am trying to connect from and have commented out skip-networking.
Although they are on the same server, because they are on different IP's, don't the rules for connecting to a remote database apply?
Thanks in advance.
I need one of your mysql gurus to help me figure out a problem with connecting to a mysql database on the same server as a website I have.
I have two websites, each with its own database and each with its own IP address, both on the same server. I am unable to connect from one site using the IP address of the other. I have checked that database's my.cnf and I have both bind-address set up for the ip address of the site I am trying to connect from and have commented out skip-networking.
Although they are on the same server, because they are on different IP's, don't the rules for connecting to a remote database apply?
Thanks in advance.
Seth Simmons
are you using iptables? did you make any configuration changes there?
The other thing apart from iptables is: do the db-users you establish the connection with have the 'any' host right or are they bound to make connections from a specific ip? Check user permissions in mysql.
But if everything is on the same server, say httpd and mysqld, why not just use the loopback interface (127.0.0.1) to connect to your database server? Set my.cnf to bind on 127.0.0.1 only. Administrative connections can still be made through a SSH tunnel.
The loopback is never firewalled, and it is much more secure since you cannot access it from an outside facing port but need localhost access.
But if everything is on the same server, say httpd and mysqld, why not just use the loopback interface (127.0.0.1) to connect to your database server? Set my.cnf to bind on 127.0.0.1 only. Administrative connections can still be made through a SSH tunnel.
The loopback is never firewalled, and it is much more secure since you cannot access it from an outside facing port but need localhost access.
ASKER
Hello seth2740, thanks for the quick reply. To answer your question, no, I have made no changes to the iptables configuration.
Quick question, why would anyone add an ip address that is found on their server to the iptables listing?
Quick question, why would anyone add an ip address that is found on their server to the iptables listing?
ASKER
Hello helge000, and thank you for a very informative reply. I did try your suggestion to connect via localhost, and with the suggested change to my.cnf and to the mysql_connect function the database was able to connect successfully.
However, I am working on a temporary situation here with both sites on the same server. I will be moving one of the sites over to a dedicated server and will need to know how to properly connect with the database. What is it that I could be overlooking here?
However, I am working on a temporary situation here with both sites on the same server. I will be moving one of the sites over to a dedicated server and will need to know how to properly connect with the database. What is it that I could be overlooking here?
You can call me paranoid, I do never use open mysql ports on WAN network interfaces. Even if you move your server off site, you can still connect using SSH tunneled connections up to a reasonable amount of connects this will be fast enough as well.
But your problem remains, off course: Since I think you checked the DB-User/database permissions the only thing remains is firewall. Verify iptables accepts connections on both IP's, if they are virtual, you can just accept all connections for port 3306/tcp for eth0.
Best would be you just dump the (blackened) output of these commands here:
But your problem remains, off course: Since I think you checked the DB-User/database permissions the only thing remains is firewall. Verify iptables accepts connections on both IP's, if they are virtual, you can just accept all connections for port 3306/tcp for eth0.
Best would be you just dump the (blackened) output of these commands here:
iptables --list
netstat -lASKER
helge000: Intriguing, are you saying that we can connect using SSH tunneled connections even if we are on two separate and distinct servers? How would we do that?
I went ahead and ran the commands you asked me to run through SSH, however I have to confess that I do not know what I am looking at here. I did not see any mention of the ip addresses for either server.
I went ahead and ran the commands you asked me to run through SSH, however I have to confess that I do not know what I am looking at here. I did not see any mention of the ip addresses for either server.
Hehe, SSH is just a wonderful tool. You are looking for an SSH port forward.
Use a remote system like your computer to initiate a SSH tunnel port forward like this:
Now go ahead and do your Mysql stuff, but change connection settings to 127.0.0.1 using port 33306.
If you want to use it in a production system it is useful to write an init script and use ssh keys (but those should always be used anyway).
But to solve the connection problem, just post the output of those commands above. This can help us diagnose if iptables is blocking the port on the second IP (this is highly likely IMHO)
Use a remote system like your computer to initiate a SSH tunnel port forward like this:
ssh -N best-not-root@yourserver.fqdn -L 33306:127.0.0.1:3306Now go ahead and do your Mysql stuff, but change connection settings to 127.0.0.1 using port 33306.
If you want to use it in a production system it is useful to write an init script and use ssh keys (but those should always be used anyway).
But to solve the connection problem, just post the output of those commands above. This can help us diagnose if iptables is blocking the port on the second IP (this is highly likely IMHO)
ASKER
helge000, it looks to me that you are truly a MySQL expert. I have only dabbled in this, and so you are taking me into unknown waters. I appreciate your help with this problem.
Forgive my ignorance, but I am trying to understand what you are proposing. Are you saying that once I execute the ssh command you propose, then I can use port 33306 instead of 3306 to connect to MySQL? What benefit would changing the port be? Also the value of 'yourserver' I presume is the IP address of the remote server? And what is '.fqdn'?
As far as posting the output of the two commands you gave me, wouldn't doing so reveal sensitive information about our server?
I can tell you that a script has been run, and all IP addresses on this server have been set to ACCEPT. Since you feel that it is highly likely that the IP address is somehow being blocked, can we just assume for the moment that it is, and can you tell me how I would go about unblocking it?
Forgive my ignorance, but I am trying to understand what you are proposing. Are you saying that once I execute the ssh command you propose, then I can use port 33306 instead of 3306 to connect to MySQL? What benefit would changing the port be? Also the value of 'yourserver' I presume is the IP address of the remote server? And what is '.fqdn'?
As far as posting the output of the two commands you gave me, wouldn't doing so reveal sensitive information about our server?
I can tell you that a script has been run, and all IP addresses on this server have been set to ACCEPT. Since you feel that it is highly likely that the IP address is somehow being blocked, can we just assume for the moment that it is, and can you tell me how I would go about unblocking it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much for your help. I couldn't respond earlier because we had to ward off some hacking attempts in order to drop the firewall. It turns out that it was not the firewall, but that somehow the user permissions got altered (possibly by mistake as we had recently done some updates.) Appreciate the time and effort you put into this.