snippetsqlMinor
How to securely connect app and database servers?
Viewed 0 times
connectappserversdatabasehowandsecurely
Problem
(Updated) For a start, I have my app and database on separate servers. It's easy to connect them, except I am not sure how to secure my database server.
Here's what I've already done:
-
Ran
-
A non-public network for the inter-server communication (in my my.cnf, there's something like this:
-
A separate user for the database, an unguessable username and 64 char strong password to go with it; and the ip addresses of the user accounts set to the private IP addresses of the app server. I created the user with command like this:
The app is wordpress, so I need
Options considered (but not employed):
So, whatelse do I need, or am I good enough? How else do others do it? Please be as detailed as possible (link to a tutorial or something you are suggesting would help a lot).
Here's what I've already done:
-
Ran
mysql_secure_installation right after installing MySQL. So, all of these have been taken care of:- strong 64 char root password
- no anonymous users
- root login only on localhost
- no test databases
-
A non-public network for the inter-server communication (in my my.cnf, there's something like this:
bind-address = 10.128.2.18, where 10.128.2.18 is the private network IP address of the MySQL database server).-
A separate user for the database, an unguessable username and 64 char strong password to go with it; and the ip addresses of the user accounts set to the private IP addresses of the app server. I created the user with command like this:
GRANT ALL ON `app_db`.* TO 'db_user'@'10.128.2.9' IDENTIFIED BY 'password';The app is wordpress, so I need
GRANT ALL ON to avoid any unexpected issues.Options considered (but not employed):
- I've been told that technologies like SSH Tunnel, SSL, OpenVPN, Tinc, and IPsec are not generally used because they have a performance cost (resource usage due to encryption, latency, etc).
So, whatelse do I need, or am I good enough? How else do others do it? Please be as detailed as possible (link to a tutorial or something you are suggesting would help a lot).
Solution
I'm not sure why you've been told that VPN technologies are not generally used. It is correct that they have a performance cost but then again, so does everything! For the amount of data typically moving between an application server and its database server, the CPU overhead of TLS should be negligible, especially on the database server. If that is not the case then look at purchasing SSL-offloading hardware.
My preference is two network cards in the application server. The connection between it and the database server goes over a different network than client traffic.
If a separate network is not possible then my preference is TLS combined with configuring the firewall on the database server to only allow incoming connections from a small number of computers - the application server (obviously), administrative workstations, operations management servers, etc.
My preference is two network cards in the application server. The connection between it and the database server goes over a different network than client traffic.
If a separate network is not possible then my preference is TLS combined with configuring the firewall on the database server to only allow incoming connections from a small number of computers - the application server (obviously), administrative workstations, operations management servers, etc.
Context
StackExchange Database Administrators Q#49716, answer score: 4
Revisions (0)
No revisions yet.