Using SSH tunnel to connect to remote MYSQL database from Node-Red - mysql

I have a set of data rolling out of Node-Red that I want to send to a remote MYSQL database. The Node-Red system is running on a Raspberry Pi. How do I make this work? I know how to it using Node.JS but im not sure how to do this in Node-Red. The IP-adress of the Pi is dynamic so simply authorizing its Ip address does not work sadly.
Thanks in advance!
EDIT for clarification:
I want to connect to a remote MYSQL database that is hosted by my webhosting. I have connected a Raspberry Pi to a battery, and I want to save this information in the aforementioned database. Since there will be several battery setups in different locations, I cannot save the data locally. So, one way or another I need to access the remote database through Node-Red. Authorizing one IP-address does't work, since the IP of the Raspberry Pi network is dynamic and thus changes. I think a SSH-Tunnel might be the solution, but I have no idea how to this in Node-Red, and google isnt very helpful.

OK, so as I said in the comments you can make a Username/Password pair for MySQL can be granted permission to any IP address (which is less secure if the username/password is compromised. Set the host to '%' to allow all hosts when setting up the grant options).
To reduce the risk you can restrict the Username/Password to a specific subnet. This could be a wifi network or the subnet associated to the piblic IP (it needs to be the public range as nearly all cellular ISPs use CGNAT) range of the cellular provider you may be using. (See this question for details How to grant remote access to MySQL for a whole subnet?).
If you want to use a SSH tunnel then this will normally be done outside Node-RED with the ssh command line e.g.
ssh -L localhost:3306:localhost:3306 remote.host.com
Then configure the Node-RED MySQL node to point to localhost.
Since the connection will look like it's coming from localhost on the MySQL machine you need make sure the Username/Password is locked down to a that host.
You will probably also want to set up public/private key authentication for the ssh connection.
You may be able to run the ssh command in the node-red-daemon node, which should restart the connection if it gets dropped.

Related

Connecting to Internal MySQL Server

I have a Node.JS Express API App that's hosted on Heroku in the cloud. I'd like to query a MySQL DB.
The problem is that this DB is hosted on a secure LAN with proprietary info. We don't want to expose this DB to the public. What's the desired pattern for things like this?
I have a static proxy IP that I was thinking of maybe whitelisting in MySQL Server if possible. I think introducing another layer like VPN or SSH isn't going to work.
I have a static proxy IP that I was thinking of maybe whitelisting in MySQL Server if possible
MySQL does allow whitelisting of IPs. It is possible.
However, you can create an SSH tunnel from the local system to the server. The SSH tunnel can give you an encrypted SSH connection. And instead of using an SSH based on password, the better method is to use a key based encryption
What you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file. And preferably, disable password based authentication and only permit key based ssh connections.
If you need some steps on how to achieve this, I can list down too.

How to connect a C # system with a MySQL database outside the LAN?

I'd like to know how to connect the client pc in a outside network for example a WAM network, i have my database in my pc and i use this like the server. I know how to connect mysql with another client computer inside the LAN network but i dont know how to do it like the other way.
if you don't understand something make me know.
PD: sorry for my english is my first question on a english forum
Ultimately it works exactly the same way - you need an IP address and a port to connect to your database on. You can either do this by setting up port-forwarding at the firewall on the network with the database server (basically, forward port 3306 to the LAN IP address), or by giving the database server a publicly available static IP and then opening port 3306 in any firewalls. Alternatively, you can set up a VPN to the network with the database server, and connect through this. If done right, the VPN option is much more secure.
However, you should ask yourself why you want to do this. Is your idea to have a client software that directly connects to the database? This is not a great design - it's usually better to have a backend database that is accessed via a frontend API (e.g. a RESTful API or similar). Among other benefits, this can give you much better (finer-grained) access control to the database.
Your MySql server should have a firewall rule to accept outside connection on MySql port (default is 3306). Best setup should allow connection from your clients WAN address only.
Then, your C# connector will be able to connect just the same as in LAN.

Push sensor data from raspberry pi to local host phpmyadmin database

I would like to push sensor data from the raspberry pi to localhost phpmyadmin. I understand that I can install the mysql and phpmyadmin on the raspberry pi itself. But what I want is to access my local machine's database in phpmyadmin from the raspberry pi. Would it be possible?
Well, from what I understand, you'd like to save the sensor data arriving in your Raspberry Pi to a database and access it from another machine. What I suggest is, install a mysql db instance and phpmyadmin in your Raspberry Pi and you can access phpmyadmin from another machine in the network by using the RPi's ip address.
Hope this is what you wanted to do.
Sure, as long as they're on the same network and you have granted proper permission, all you have to do is use the proper hostname or IP address of the MySQL server (what you call the local machine). In whatever utility or custom script you have that writes data, use the networked IP address instead of 127.0.0.1 or localhost for the database host.
Depending on how you've installed MySQL, you may not have a user that listens for non-local connections, incoming MySQL connections may be blocked at the firewall, or your MySQL server may not listen for incoming network connections.
You've asked about using phpMyAdmin from the Pi, accessing your other computer, which doesn't seem to make much sense to me (I'd think you'd want to run phpMyAdmin on your desktop computer, not a Pi), but if you've got a GUI and compatible web browser running on the Pi then you'd just have phpMyAdmin and the webserver run on the same desktop computer that has MySQL and access that hostname and folder from the Pi (such as http://192.0.2.15/phpmyadmin).
If you're planning to make the MySQL server itself public-facing, you should really re-think that decision unless you know why that's a bad idea and how to properly secure it (but that may not be a concern; for instance I have one at home that is available on the local network, but my router blocks any incoming connections from external sources).

MySQL: SSH Connection through Terminal in MAC

Hi Thanks for reading my question. I currently use Mac Terminal to use MySQL. I connect to either localhost or a remote server. Should I be using SSH?
You won't need SSH to access a DB on your local machine.
You can use SSH to access a remote DB using MySQL. You can also use an app with a GUI like Sequel Pro to access the remote DB via an SSH tunnel.
What specifically are you trying to achieve?
There is not enough information to answer your question.
Normally SSH tunnels are used more for adhoc work, while preserving high level of security (can be used in production, too).
MySQL normally uses unencrypted traffic, but it can be setup to use SSL, so that's another path you can take.
Other alternatives are VPNs, for example OpenVPN among other solutions, but this is more of an infrastructure decision.
EDIT: For completeness
On local machine clients can communicate with mysqld over socket or local IP. Normally it is not necessary to encrypt such connections.
For remote connections (which are over IP), as stated mysql uses unencrypted connection and FTP by default also uses unencrypted connection. This might or might not be a security risk (if that particular network segment is on its own VLAN or inside already encrypted tunnel or on physically secured network).
If unsure - encrypt it.

Connecting/Tunneling to remote server to bypass firewall

I want to try out some of the MySQL software, like Workbench, on the MySQL Db I develop on at work. After many failed attempts to make the connection, I finally asked one of the server admins if I was doing something wrong and was informed that the Db is behind firewall. So I can use phpMyAdmin, since it's installed server-side, but not Excel, Workbench, etc (from my machine).
So I would like to know if there is a fairly standard way to make a VPN-like connection to the server. Currently I use an SSH client to connect with no problem. But obviously that's not linking my local apps to the server. So can I make the connection in such a way that my whole system (so to speak) is considered signed on to the server? VPN is the closest analogy I can make, but that's not an option.
And....
Is that considered fairly "black hat" or is just something I don't know how to do but all the cool kids are doing it legitimately?
Thanks
This is simple using SSH tunneling. Simply do something akin to the following:
ssh -f username#your.remote.host -L 4040:your.remote.host:3306 -N
This does the following:
-f - forks SSH into background
username#your.remote.host - the user & host for SSH to connect to
-L 4040:your.remote.host:3306 - Listen for local connections on port 4040, and forward them via SSH to your.remote.host port 3306
-N - tells SSH not to issue a command on the remote host
You would then be able to connect to your mysql server (assuming the above ports are correct) using:
mysql --host=localhost --port=4040 --user=mysqluser -p
SSH tunnelling is excellent and can make life a lot easier.
The advantages are that it is all running over an encrypted port, 22, so the security is better and you can also compress the session, so over a slow network might see a bit of a performance improvement...
If you are using Windows, I would recommend puTTY which is available easily if you google it... Once connected, you can assign a local port which forwards to a port on the remote machine. In puTTY, this is in the Connection->SSH->Tunnels dialog.
I often use this for forwarding VNC - so if you have localport 5900 forwarding to the remote address 5900, you can connect to localhost:5900 as if you were connecting to the remote IP address.
It is also useful if there is a "hop" to a remote network - e.g. you aren't limited to forwarding to the ssh server you are connected to, you can also connect to other servers via the ssh server you are using.
Finally, I don't think that there is anything illegitimate about this option - you are using the ssh connection as intended and have been granted access to the server you are using. If anything, it is increased security...
Admins where I am have an Open-VPN that connect their personnal computer at home to servers at work, but it is used only for maintenance and 'emergency'.
I don't think it is good for security to have "holes" in the firewall, especially to a private place, where there is no firewall to protect your personnal computer.
These kind of practise is possible but has to be retricted to minimum