I'm running openzipkin in Azure (docker image) and I'm getting this error for the past two weeks out of the blue.
Nothing has changed in the code because I'm using a specific docker tag. Seems like Azure has internally changed something with MySql recently?
I don't see any options under Server parameters to enable ipv6 AND you cannot add an ipv6 firewall rule because it only allows ipv4 to be entered.
Could not connect: Server is not configured to allow ipv6 connections.
I had the same issue and found this article https://blogs.msdn.microsoft.com/azuresqldbsupport/2019/01/02/lesson-learned-52-azure-database-for-mysql-server-is-not-configured-to-allow-ipv6-connections/ that recommends adding VNet rules to the MySQL connection security. This however does not work for Basic tier.
Solution:
Somehow an Azure MySQL cannot communicate with a VM in the same region.
To fix this - Remove Microsoft.Sql endpoint in
Virtual network > yourResourceGroup > Service endpoints
Related
When attempting to connect to the Azure App Services (ASP.NET) MySQL database (Navigating to the Manage link) the Page info returned from PHPMyAdmin prevents me from moving forward. I cannot seem to find the location of the log for the app within Kudu and navigating to the MYSQLCONNSTR_*.ini file did not provide me with the information that I needed.
I've attempted to use the connection strings for the database for both the scm and the web app but neither work. I have also attempted to use the public-facing IP within the Kudu environment variable without any luck.
I cannot seem to find the information I need to connect to my instance of PHPMyAdmin, and am now quite lost.
The solution to my problem was here: https://stackoverflow.com/a/57545678/4212591
The free tier of the Azure Web Service does not allow for the always-on feature. Thus my inability to connect to the service.
I’m unsure on the exact location/path you are looking for that file, the connection string is stored at D:\home\data\mysql\MYSQLCONNSTR_localdb.txt.
If you wish to customize the database, username and password, after you have created a new database, add new username or update password, simply modify:
D:\home\data\mysql\MYSQLCONNSTR_localdb.ini , remove D:\home\data\mysql\MYSQLCONNSTR_localdb.txt and restart the WebApps.
Furthermore, the connection string flows to your application as an env variable MYSQLCONNSTR_localdb. The env is added to the main site process. For Kudu site, one may read the same info from D:\home\data\mysql\MYSQLCONNSTR_localdb.txt file. Beware that we are not using the default MySql port (3306). In fact, the port number may vary for each application life cycle depending on its availability at startup time. The port info is also available as an env variable WEBSITE_MYSQL_PORT to your site.
Ensure that MySQL process is running. Check in your web app application settings if there is a connection string. PHPmyadmin uses MYSQLCONNSTR_ to connect to the MySQL server. If you have a connection string in application setting change the connection string type to Custom , so you can still have the information if needed or delete it. This will force PHPmyadmin to access MYSQLCONNSTR_localdb and connect to the MySQL in-app server.
As a side note, on Azure WebApps Sandbox - Connection attempts to local addresses (e.g. localhost, 127.0.0.1) and the machine's own IP will fail, except if another process in the same sandbox has created a listening socket on the destination port.
To rule out, application code or the client library leaking TCP socket handles or burst load of requests opening too many TCP socket connections at once, scale-up Azure App Service Plan and see if that makes any difference.
I am trying to establish a SSL-encrypted connection to a my MySQL Docker service running on a AWS VPC (setup up by the Docker for AWS cloud formation template). The elastic load balancer is configured to redirect port 3306. There is no problem to connect to the container (e.g. by using MySQLWorkbench, mysql-client, ..) as long as SSL is not turned on (adding AWS's own certificates (ACM) or my custom certificates to the ELB listener). In case SSL is enabled, the client starts hanging / freezing, without returning a proper error. I added the ca-certs from ACM, generated my own certificates (with and without additonal key / cert for the client) but nothing seems to resolve my problem.
Now I am well aware of the fact, that this setup is not that usual. I guess the standard way of doing this is to configure the MySQL-Server itself. AFAIK, in this case only the connection between client and ELB is encrypted, but I do not understand why this causes a problem?
I am grateful for answers!
In MySQL's client/server protocol, the server talks first. It advertises its capabilities (including whether it supports SSL). Then the client requests that the connection switch to SSL mode. Only then does SSL negotiation take place.
For this reason, it is not possible to offload SSL in front of MySQL.
Your connection hangs because the client is waiting for the initial packet from the server, while the ELB is waiting for the client to start negotiating SSL -- because unlike the MySQL client/server protocol, the client talks first on standard SSL negotiation.
You have to have a certificate on the MySQL Server, and not on the ELB, for this to work.
An AWS Network Load Balancer is a more appropriate solution for exposing MySQL, but you still need the SSL cert on the MySQL Server itself.
I have what is going to be a production MySQL database, and we want to access such remotely but haven't found a secure way to do it.
Docker Swarm do not have support for host bound ports such as 127.0.0.1:3303:3303, however normal mode does. Making a port public becomes also public in all swarm nodes.
Using firewalls is not really an option since we would have to configure these on every single node in the swarm.
We have on table only two options
Opening the port and only allowing connections through TLS and enforcing REQUIRE options Issuer and Subject, to only one single user and probably read_only. Still seems to be highly insecure due to having the open port.
Creating a temporary dockerized sshd service and making it available in the same network as MySQL service, it is more hazzle to manage these ssh containers. Still more secure since it would be turn on/off when needed
Question: Is there any other/better options to approach this? and how badly insecure is it to have open port + tls connections?
If you have a good argument against accessing MySQL remotely I would appreciate it
Im trying to connect to a postgres database, from a springboot application deployed in minishift.
The postgres server is running on the same host that minishift is running on.
I've tried setting the postgres serve to listen on a specific IP address, and use this same address in the springboot jdbc connection url but I still get org.postgresql.util.PSQLException: Connection to 172.99.0.1:5432 refused
I've also tried using 10.0.2.2
Also tried, in /etc/postgresql/9.5/main/postgresql.conf, setting:
listen_addresses = '*'
How can I connect to a database external to minishift, running on same host?
Besides the answer referenced in my comment, which suggests to make your database listen on the IP address of the Docker bridge, you could make your pod use the network stack of your host. This way you could reach Postgres on the loopback. This works only if can guarantee that the pod will always run on the same host as the database.
The Kubernetes documentation discourages using hostNetwork. If you understand the consequences you can enable it as in this example.
If a pod inside kubernetes can't see the IP address from the host then I guess its an underlying firewall or networking issue. Try opening a shell inside the pod...
kubectl exec -it mypodname bash
Then trying to ping, telnet, curl, wget or whatever to see if you can see the IP address.
It sounds like something's wrong with the networking setup of your minishift. It might be worth raising an issue with minishift: https://github.com/minishift/minishift/issues/new
If you can find an IP address on the host which is accessible from a docker pod you can create a Kubernetes Service and then an Endpoint for the service with the IP address of the database on your host; then you can use the usual DNS discovery of kubernetes services (i.e. using the service name as the DNS name) which will then resolve to the IP address. Over time you could have multiple IP addresses for failover etc.
See: https://kubernetes.io/docs/user-guide/services/#without-selectors
Then you can use Services to talk to all your actual network endpoints with your application code completely decoupled on if the endpoints are implemented inside kubernetes, outside with load balancing baked in!
I have built an application in vb.net that needs to connect to a mysql database. This all works fine from my own network and several other home networks.
But if i want to use the application on my company's network, i get the error
Unable to connect to any of the specified MySQL hosts
I thought that this is caused by the firewall of the network.
But I used the "automatic update" option and I publish the application on a online server. This works fine on my company's network.
So the application can download the updates from the network, but can't connect to the mysql server. What could cause this issue?
The most common situation that would cause this is selective egress filtering. Specifically, the firewall is most likely only allowing HTTP/HTTPS port connections out.
Try changing mysql to listen on 443, then try again using 443 instead. The firewall may allow the traffic since it is using 443 like web traffic instead of 3306 (mysql default).
If you're testing it locally, its because you need to whitelist the IP that you're CURRENTLY on.
On live sites, the IP of the server doesn't change. So you use that IP with the correct permissions to allow mysql to work.
So basically, figure out where your allowed IP's to talk to the DB are, find your local ip, and modify. Incorrect ports can be a problem also