I'm running Tomcat 7/MySQL 5.6 on Centos 6. It's time to separate the database to another server. What is the best approach to securing the connection between Tomcat and the backend MySQL server. It's Virtualized and I don't want to run the connection open over a shared network.
I'm thinking tunneling through ssh. SSL seems a lot of work. But what's the "recommended" approach?
You're right to be careful about sending traffic over an open network. The MySQL protocol by default is not encrypted at all, so if someone can capture packets on your network, then they can see all your data.
I prefer using either an ssh tunnel or a vpn connection. I just find it easier to configure.
My colleague Ernie Souhrada at Percona posted a couple of really good blog articles about the efficiency of using an ssh tunnel versus using MySQL client options to connect via SSL and bear the overhead of handshaking on every connection.
http://www.mysqlperformanceblog.com/2013/10/10/mysql-ssl-performance-overhead/
http://www.mysqlperformanceblog.com/2013/11/18/mysql-encryption-performance-revisited/
The performance impact of SSL handshake that Ernie reports won't be quite a much of an issue for a Tomcat environment, since you would typically have a connection pool, and therefore new connections would be made less frequently.
Related
Recently I was trying to convince my hosting provider to secure my remote connection to MySQL. Their reply was that these connections are by default unsecured and even big players provide only unsecured remote connections to MySQL. I did a lot of Googling but I was unable to get a satisfactory answer.
If I wish to have my remote connection to MySQL server secure, am I wishing wrong?
Because I believe no remote connection be insecure. Even the latest versions of MySQL Workbench have stopped supporting nonsecure connections.
To make your whole website secure beside your database , you need to issue SSL certificate and make it work under https which is going to encrypt all the data of your website.
in addition , its always good to avoid mysql default port , change it to some other port number than 3306 which makes it harder for attacker to attack your mysql connection.
I am very new in this environment and currently having this difficulty to share my DBMS work to my teammates. Tried to find solutions but mostly it was a solution if it's from the same network. Is there any way (in details) how can I share it from outside network?
Try setting up a VPN/Proxy server on your LAN network and then your teammates will connect to that VPN/Proxy server externally for accessing the phpMyAdmin DBMS as a VPN or Proxy would simulate your teammates network connection to be as if they were on the same network as the phpMyAdmin DBMS, which is only accessible on LAN.
This will undoubtedly be the most secure method of connecting to the server and also without making too many changes to the configuration of the phpMyAdmin DBMS, which could be messed up in the process of modifying all the configuration files and be quite a hassle.
I've created a Java Spring Boot application that launches 36 downloader droplets on digital ocean, which ssh tunnel to a database CPU Optimized droplet and downloads from an API into the database.
I've configured hikari as follows towards less pooling connections assuming the database may have trouble with too many and thinking they might not be required.
spring.datasource.hikari.maximumPoolSize=5
spring.datasource.hikari.connectionTimeout=200000
spring.datasource.hikari.maxLifetime=1800000
spring.datasource.hikari.validationTimeout=100000
I'm wondering if those settings may or may not be recommended and why. I've reduced the maximumPoolSize to 5 however I haven't found much information on whether that is considered too small for Java Spring Boot Application to run effectively.
Given each downloader is storing data in the database sequentially do I need to have more than a few pooling connections on each downloader?
I've configured the maximum connections in mysql to 250 and the maximum ssh connections on the database server to 200. I note that 114 sshD processes are created on the server. Can a server handle that many ssh tunneling connections?
Do you forsee any problems with this kind of distributed setup with Spring boot? One thing I have had to do before adjusting to these settings is place retry connection code around each database connection to prevent disconnection errors.
Thanks
Conteh
Since our shared hosting server doesn't allow us to setup Tomcat I decided to install it on our local machine. The local Tomcat server allows us to listen to a certain port for Bancnet transactions which will then be processed and written to the remote site.
Question:
Is it safe for me to set the local PHP application to connect directly to the remote mySQL server? Any suggestions on how to make the connection secure. BTW, I have a self-signed certificate installed in the localhost but not sure how this applies to remote mySQL connection.
You could create a ssh tunnel between MySQL server and client. For more resiliency, use autossh.
If you don't connect over SSL or some other encrypted tunnel, I would absolutely assume that anything you send or receive from MySQL is done so in clear text that can be intercepted and used for malicious purposes from any link along the way. This might be fine for testing purposes with dummy data, but before you put this in production use or pull down live user data for testing, you really should either make arrangements for the data to be stored local to the web app or for there to be an encrypted connection.
Giving you a full overview of how to set up SSL connections to MySQL is beyond the scope of Stack Overflow and it's a bit complicated, but if you want to proceed, check out the documentation and do some research, there are some good informational resources out there.
I'm a bit confused as to the architecture you are trying to describe. What's running where?
If you can't install Tomcat then you probably won't be able to install anything like VPN software on the box.
MySQL can encrypt using SSL provided it has been enabled at compile time and at run time.
Alternatively, it should be fairly trivial to build a webservices tier on top of the remote database.
I would recommend switching to a VPS or managed host though.
Hi Thanks for reading my question. I currently use Mac Terminal to use MySQL. I connect to either localhost or a remote server. Should I be using SSH?
You won't need SSH to access a DB on your local machine.
You can use SSH to access a remote DB using MySQL. You can also use an app with a GUI like Sequel Pro to access the remote DB via an SSH tunnel.
What specifically are you trying to achieve?
There is not enough information to answer your question.
Normally SSH tunnels are used more for adhoc work, while preserving high level of security (can be used in production, too).
MySQL normally uses unencrypted traffic, but it can be setup to use SSL, so that's another path you can take.
Other alternatives are VPNs, for example OpenVPN among other solutions, but this is more of an infrastructure decision.
EDIT: For completeness
On local machine clients can communicate with mysqld over socket or local IP. Normally it is not necessary to encrypt such connections.
For remote connections (which are over IP), as stated mysql uses unencrypted connection and FTP by default also uses unencrypted connection. This might or might not be a security risk (if that particular network segment is on its own VLAN or inside already encrypted tunnel or on physically secured network).
If unsure - encrypt it.