pessoal2004 Posted November 20, 2021 Posted November 20, 2021 I have the httpd and mariadb-server on the same server. I want to split, httpd on one server and mariadb-server on another server, and the connection must be encrypted. How to tell the Thirtybees to use the mariadb-client SSL to connect to the other mariadb-server server? Any help will be appreciated.
0 lesley Posted November 22, 2021 Posted November 22, 2021 Its always going to be slow and you are going to always get latency doing what you are wanting to do. But the easiest way to do it, would be to bind mariadb to port 443 on the database server, block all ips from accessing port 443 except your main machine. But like I said, it will be slow because oft the ssl negotiation. 1
0 lesley Posted November 21, 2021 Posted November 21, 2021 How you are wanting to do it is the wrong way to do it. I am assuming you have two different machines or instances in a data center. What you need to do, is on the database instance close off any external networking, and have it only accessible by the local network. That way, no one outside your network ever reaches your machine. While it can be done in the way you want, it is not advisable and would be pretty complex. Your database out of the box is going to use port 3306, but your ssl certificate is going to bind to port 443. So you will need to bind the ssl to port 3306, then on your front facing machine, you will have to set up port 443 to also expect that 3306 on the database machine is using ssl. If you are using digital ocean or similar, look into private networking, it is made for this and is 100 times more secure. Only machines that have a physical wire can connect to your database.
0 nickz Posted November 21, 2021 Posted November 21, 2021 On 11/20/2021 at 3:44 PM, pessoal2004 said: I want to split, httpd on one server and mariadb-server on another server, and the connection must be encrypted. Do you mind telling us why you want to do that?
0 pessoal2004 Posted November 22, 2021 Author Posted November 22, 2021 Thank you very much for your answers. We don't want private networks like the digital ocean or similar, because we want to put our data on separate data centers. We already tried Stunnel. On Stunnel we only need to give the TB the IP 127.0.0.1:3306, and make all configurations (IP, port and SSL) on Stunnel, it works but is too slow. Now we are looking for a better solution. We also made an SSL tunnel between server #1 and server #2 with MariaDB_client Server #1 with: -Httpd -MariaDB_client:3306 with SSL Server #2 with: -MariaDB_server:3306 with SSL Right now, the TB on server #1, goes directly to MariaDB_Server on server #2. And mannualy we can go from MariaDB_client on server #1 to MariaDB_server on server #2 ussing the following command: mysql -u tb -h XXX.XXX.XXX.XXX --port=3306 -p databasetest The goal is telling to TB to go to MariaDB_client on server #1 and then to go to MariaDB_server on server #2. Our question is, how to tell TB to use the MariaDB_client? Any help will be appreciated.
0 datakick Posted November 22, 2021 Posted November 22, 2021 I don't understand at all. What is MariaDB_client on server #1? Do you have two instances of mariadb servers installed in master->slave mode? Or are you talking about mysql/mariadb client program? 1
0 pessoal2004 Posted November 23, 2021 Author Posted November 23, 2021 On 11/22/2021 at 1:56 PM, datakick said: I don't understand at all. What is MariaDB_client on server #1? Do you have two instances of mariadb servers installed in master->slave mode? Or are you talking about mysql/mariadb client program? "Or are you talking about mysql/mariadb client program?" Yes.
0 pessoal2004 Posted November 23, 2021 Author Posted November 23, 2021 On 11/22/2021 at 2:13 PM, lesley said: Its always going to be slow and you are going to always get latency doing what you are wanting to do. But the easiest way to do it, would be to bind mariadb to port 443 on the database server, block all ips from accessing port 443 except your main machine. But like I said, it will be slow because oft the ssl negotiation. "it will be slow because oft the ssl negotiation" Unfortly it's true, and we can't find a way around this.
0 nickz Posted November 23, 2021 Posted November 23, 2021 4 hours ago, pessoal2004 said: "it will be slow because oft the ssl negotiation" Unfortly it's true, and we can't find a way around this. Rent 2 Servers from the same datacenter, one next to each other. 1
0 datakick Posted November 24, 2021 Posted November 24, 2021 12 hours ago, pessoal2004 said: "Or are you talking about mysql/mariadb client program?" Yes. Well, then what you are asking for is not possible. Thirty bees estabilish connection with mysql server directly, it does not use any third party program to communicate through. 2
0 pessoal2004 Posted November 24, 2021 Author Posted November 24, 2021 Ok, We will drop down this configuration. Thanks for your help
Question
pessoal2004
I have the httpd and mariadb-server on the same server.
I want to split, httpd on one server and mariadb-server on another server, and the connection must be encrypted.
How to tell the Thirtybees to use the mariadb-client SSL to connect to the other mariadb-server server?
Any help will be appreciated.
10 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now