socross
asked on
Can I Talk to a mysql database over secure SSL connection in a Plesk VPS enviroment?
Hi
Is it possible to talk/interact with a mysql database over a SSL connection?
We run multiple domains on a VPS server setup with Plesk, so I assume we have 1 Mysql Server which hosts all our databases.
To give a bit more detail on what we are trying to achieve, we have a main site http://www.domain.com which talks to DB x and we need https://www.domain.com to be able to talk to the same database x.
Any input would be much appriciated.
Thanks
--s--
Is it possible to talk/interact with a mysql database over a SSL connection?
We run multiple domains on a VPS server setup with Plesk, so I assume we have 1 Mysql Server which hosts all our databases.
To give a bit more detail on what we are trying to achieve, we have a main site http://www.domain.com which talks to DB x and we need https://www.domain.com to be able to talk to the same database x.
Any input would be much appriciated.
Thanks
--s--
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can achieve that using an ssl tunnel and have the database access done over the tunnel
ASKER
Ok Great
I am currently developing and am working on the secure files (httpsdocs) fine, but any connections to my database return empty objects!
Is it possible to configure access to my database, securely via https:// and standard via http://
objects - could you provide a bit more infor on how this would work and any resources on how to set it up
Many thanks
--s--
I am currently developing and am working on the secure files (httpsdocs) fine, but any connections to my database return empty objects!
Is it possible to configure access to my database, securely via https:// and standard via http://
objects - could you provide a bit more infor on how this would work and any resources on how to set it up
Many thanks
--s--
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
fosiul01:
Perfect Ok & Thats what i was hoping.
But when using MYSQLI to connect to my database I am getting empty results even though the querys are working (Tested using phpMyAdmin)
See Code snippet for example, although it conectts to the db it returns an empty object and returns 0.
Am i missing something
--s--
Perfect Ok & Thats what i was hoping.
But when using MYSQLI to connect to my database I am getting empty results even though the querys are working (Tested using phpMyAdmin)
See Code snippet for example, although it conectts to the db it returns an empty object and returns 0.
Am i missing something
--s--
// connect to db
$conn = db_connect();
// It Connects ok.
if (!$conn)
return 0;
else
echo 'connection success';
// check username
$result = $conn->query("select LCASE($var) from $table where LCASE($var) = LCASE('$value');");
if (!$result)
{
echo 'object not created';
return 0;
}
if ($result->num_rows>0)
return 1;
else
return 0;
@author
i would of suggest you to create another question for this as its coding problem,
create another quesaton in php zone, you will get more and accurate answer.
i did not touch php programming from last 6 to 7 month, so almost forgot the syntax....
sorry for this that would be able to help you for coding part.
i would of suggest you to create another question for this as its coding problem,
create another quesaton in php zone, you will get more and accurate answer.
i did not touch php programming from last 6 to 7 month, so almost forgot the syntax....
sorry for this that would be able to help you for coding part.
ok, I think we are at cross purposes here.
Assume setup:
[CLIENT] -- LINK1 --> [WEBSERVER] -- LINK2 --> [DB-HOST]
There are two links involved - normally, WEBSERVER and DB-HOST are the same, so you don't need to worry about DB security. in a cluster, you may also find that an interserver link is effectively secure (as in, on a private network) so that LINK2 is insecure, but in an isolated environment so no real risk.
On the webserver, there should be a HTTPS certificate - this is used to secure LINK1 *only* - the backend link LINK2 is not secured in any way by the server certificate, so you should treat these as completely separate problems. In most situations though, you can assume that your LINK2 is secure unless there is a valid reason to assume otherwise.
if you still want to secure LINK2, there are three layers of technology that can achieve this for you - these are
1) SERVICE encryption
MySQL natively supports/allows SSL encryption. to make this work, you must supply a certificate+key to the server, and configure the client to use ssl
Upside: everything is handled natively.
Downside: you have to reconfigure your code to use a secure connection (its asserted clientside) and maintain a certificate for the use of the MySQL server.
MySQL official documentation --> http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html
2) TUNNEL encryption
Tunnel mode programs allow you to define a local port on a machine without MySQL to be linked (via encryption) to a port on the MySQL server.
Upside: If you use the same port, you can just define the MySQL server as localhost (on all servers) and it doesn't matter which node a website is running on; localhost is always the same instance of MySQL.
Downside: reliance on secondary code (the tunnel software); ssl based tunnel software (such as stunnel) requires maintaining a certificate for the MySQL server (if that style of tunnel is used); all connections appear to be "from" localhost, so invalidating host based permissions.
SSL Based tunnel solution ---> http://www.stunnel.org/
3) VPN encryption
VPN (virtual private network) programs allow each node in a group to be assigned a "private" IP address (192.168.20.x say) and communications between them are automatically encrypted and routed
Upside: can be used for *anything*, not just MySQL, and all the traffic is secure; host based permissions work, logfiles reflect the private IP (but are accurate), some VPN capabilities are built into most modern operating systems (Windows and Linux both have kernel-level support for IPSec, the non-SSL based, "standard" flavour of vpn)
Downside: reliance on secondary code (vpn software); maintaining a SSL certificate or other "shared secret"
Popular SSL based vpn solution --> http://openvpn.net/
Assume setup:
[CLIENT] -- LINK1 --> [WEBSERVER] -- LINK2 --> [DB-HOST]
There are two links involved - normally, WEBSERVER and DB-HOST are the same, so you don't need to worry about DB security. in a cluster, you may also find that an interserver link is effectively secure (as in, on a private network) so that LINK2 is insecure, but in an isolated environment so no real risk.
On the webserver, there should be a HTTPS certificate - this is used to secure LINK1 *only* - the backend link LINK2 is not secured in any way by the server certificate, so you should treat these as completely separate problems. In most situations though, you can assume that your LINK2 is secure unless there is a valid reason to assume otherwise.
if you still want to secure LINK2, there are three layers of technology that can achieve this for you - these are
1) SERVICE encryption
MySQL natively supports/allows SSL encryption. to make this work, you must supply a certificate+key to the server, and configure the client to use ssl
Upside: everything is handled natively.
Downside: you have to reconfigure your code to use a secure connection (its asserted clientside) and maintain a certificate for the use of the MySQL server.
MySQL official documentation --> http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html
2) TUNNEL encryption
Tunnel mode programs allow you to define a local port on a machine without MySQL to be linked (via encryption) to a port on the MySQL server.
Upside: If you use the same port, you can just define the MySQL server as localhost (on all servers) and it doesn't matter which node a website is running on; localhost is always the same instance of MySQL.
Downside: reliance on secondary code (the tunnel software); ssl based tunnel software (such as stunnel) requires maintaining a certificate for the MySQL server (if that style of tunnel is used); all connections appear to be "from" localhost, so invalidating host based permissions.
SSL Based tunnel solution ---> http://www.stunnel.org/
3) VPN encryption
VPN (virtual private network) programs allow each node in a group to be assigned a "private" IP address (192.168.20.x say) and communications between them are automatically encrypted and routed
Upside: can be used for *anything*, not just MySQL, and all the traffic is secure; host based permissions work, logfiles reflect the private IP (but are accurate), some VPN capabilities are built into most modern operating systems (Windows and Linux both have kernel-level support for IPSec, the non-SSL based, "standard" flavour of vpn)
Downside: reliance on secondary code (vpn software); maintaining a SSL certificate or other "shared secret"
Popular SSL based vpn solution --> http://openvpn.net/
ok, I think we are at cross purposes here.
Assume setup:
[CLIENT] -- LINK1 --> [WEBSERVER] -- LINK2 --> [DB-HOST]
There are two links involved - normally, WEBSERVER and DB-HOST are the same, so you don't need to worry about DB security. in a cluster, you may also find that an interserver link is effectively secure (as in, on a private network) so that LINK2 is insecure, but in an isolated environment so no real risk.
On the webserver, there should be a HTTPS certificate - this is used to secure LINK1 *only* - the backend link LINK2 is not secured in any way by the server certificate, so you should treat these as completely separate problems. In most situations though, you can assume that your LINK2 is secure unless there is a valid reason to assume otherwise.
if you still want to secure LINK2, there are three layers of technology that can achieve this for you - these are
1) SERVICE encryption
MySQL natively supports/allows SSL encryption. to make this work, you must supply a certificate+key to the server, and configure the client to use ssl
Upside: everything is handled natively.
Downside: you have to reconfigure your code to use a secure connection (its asserted clientside) and maintain a certificate for the use of the MySQL server.
MySQL official documentation --> http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html
2) TUNNEL encryption
Tunnel mode programs allow you to define a local port on a machine without MySQL to be linked (via encryption) to a port on the MySQL server.
Upside: If you use the same port, you can just define the MySQL server as localhost (on all servers) and it doesn't matter which node a website is running on; localhost is always the same instance of MySQL.
Downside: reliance on secondary code (the tunnel software); ssl based tunnel software (such as stunnel) requires maintaining a certificate for the MySQL server (if that style of tunnel is used); all connections appear to be "from" localhost, so invalidating host based permissions.
SSL Based tunnel solution ---> http://www.stunnel.org/
3) VPN encryption
VPN (virtual private network) programs allow each node in a group to be assigned a "private" IP address (192.168.20.x say) and communications between them are automatically encrypted and routed
Upside: can be used for *anything*, not just MySQL, and all the traffic is secure; host based permissions work, logfiles reflect the private IP (but are accurate), some VPN capabilities are built into most modern operating systems (Windows and Linux both have kernel-level support for IPSec, the non-SSL based, "standard" flavour of vpn)
Downside: reliance on secondary code (vpn software); maintaining a SSL certificate or other "shared secret"
Popular SSL based vpn solution --> http://openvpn.net/
Assume setup:
[CLIENT] -- LINK1 --> [WEBSERVER] -- LINK2 --> [DB-HOST]
There are two links involved - normally, WEBSERVER and DB-HOST are the same, so you don't need to worry about DB security. in a cluster, you may also find that an interserver link is effectively secure (as in, on a private network) so that LINK2 is insecure, but in an isolated environment so no real risk.
On the webserver, there should be a HTTPS certificate - this is used to secure LINK1 *only* - the backend link LINK2 is not secured in any way by the server certificate, so you should treat these as completely separate problems. In most situations though, you can assume that your LINK2 is secure unless there is a valid reason to assume otherwise.
if you still want to secure LINK2, there are three layers of technology that can achieve this for you - these are
1) SERVICE encryption
MySQL natively supports/allows SSL encryption. to make this work, you must supply a certificate+key to the server, and configure the client to use ssl
Upside: everything is handled natively.
Downside: you have to reconfigure your code to use a secure connection (its asserted clientside) and maintain a certificate for the use of the MySQL server.
MySQL official documentation --> http://dev.mysql.com/doc/refman/5.0/en/secure-connections.html
2) TUNNEL encryption
Tunnel mode programs allow you to define a local port on a machine without MySQL to be linked (via encryption) to a port on the MySQL server.
Upside: If you use the same port, you can just define the MySQL server as localhost (on all servers) and it doesn't matter which node a website is running on; localhost is always the same instance of MySQL.
Downside: reliance on secondary code (the tunnel software); ssl based tunnel software (such as stunnel) requires maintaining a certificate for the MySQL server (if that style of tunnel is used); all connections appear to be "from" localhost, so invalidating host based permissions.
SSL Based tunnel solution ---> http://www.stunnel.org/
3) VPN encryption
VPN (virtual private network) programs allow each node in a group to be assigned a "private" IP address (192.168.20.x say) and communications between them are automatically encrypted and routed
Upside: can be used for *anything*, not just MySQL, and all the traffic is secure; host based permissions work, logfiles reflect the private IP (but are accurate), some VPN capabilities are built into most modern operating systems (Windows and Linux both have kernel-level support for IPSec, the non-SSL based, "standard" flavour of vpn)
Downside: reliance on secondary code (vpn software); maintaining a SSL certificate or other "shared secret"
Popular SSL based vpn solution --> http://openvpn.net/
oops - site glitch - got "down for unexpected maintainance" then two copies turn up....
ASKER
Thanks for all your input, after all your feedback and reading on the next I have basically gone on a bit of a wild goose chase, as it was bad php code which caused the issue!!
Thanks for helping me get to the bottom of this and for all your input!
Best
--s--
Thanks for helping me get to the bottom of this and for all your input!
Best
--s--