How Thirtybees can use mariadb-client SSL

[pessoal2004]

I have the httpd and mariadb-server on the same server.

I want to split, httpd on one server and mariadb-server on another server, and the connection must be encrypted.

How to tell the Thirtybees to use the mariadb-client SSL to connect to the other mariadb-server server?

Any help will be appreciated.

[lesley]

Its always going to be slow and you are going to always get latency doing what you are wanting to do. But the easiest way to do it, would be to bind mariadb to port 443 on the database server, block all ips from accessing port 443 except your main machine. But like I said, it will be slow because oft the ssl negotiation. 

[lesley]

How you are wanting to do it is the wrong way to do it. I am assuming you have two different machines or instances in a data center. What you need to do, is on the database instance close off any external networking, and have it only accessible by the local network. That way, no one outside your network ever reaches your machine.

While it can be done in the way you want, it is not advisable and would be pretty complex. Your database out of the box is going to use port 3306, but your ssl certificate is going to bind to port 443. So you will need to bind the ssl to port 3306, then on your front facing machine, you will have to set up port 443 to also expect that 3306 on the database machine is using ssl. 

If you are using digital ocean or similar, look into private networking, it is made for this and is 100 times more secure. Only machines that have a physical wire can connect to your database.   

 

[nickz]

On 11/20/2021 at 3:44 PM, pessoal2004 said:

I want to split, httpd on one server and mariadb-server on another server, and the connection must be encrypted.

Do you mind telling us why you want to do that?

[pessoal2004]

Thank you very much for your answers.

We don't want private networks like the digital ocean or similar, because we want to put our data on separate data centers.

We already tried Stunnel.
On Stunnel we only need to give the TB the  IP 127.0.0.1:3306,  and make all configurations (IP, port and SSL) on Stunnel,  it works but is too slow.

Now we are looking for a better solution.

We also made an SSL tunnel between server #1 and server #2 with  MariaDB_client

Server #1 with:
-Httpd
-MariaDB_client:3306 with SSL

Server #2 with:
-MariaDB_server:3306 with SSL

Right now, the TB  on server #1, goes directly to MariaDB_Server on server #2.

And mannualy we can go from MariaDB_client on server #1 to MariaDB_server on server #2 ussing the following command: 

mysql -u tb -h XXX.XXX.XXX.XXX --port=3306 -p databasetest

The goal is telling to TB to go to MariaDB_client on server #1 and then to go to MariaDB_server on server #2.

Our question is, how to tell TB to use the MariaDB_client?

Any help will be appreciated. 
 

[datakick]

I don't understand at all. What is MariaDB_client on server #1? Do you have two instances of mariadb servers installed in master->slave mode? Or are you talking about mysql/mariadb client program?

[pessoal2004]

On 11/22/2021 at 1:56 PM, datakick said:

I don't understand at all. What is MariaDB_client on server #1? Do you have two instances of mariadb servers installed in master->slave mode? Or are you talking about mysql/mariadb client program?

"Or are you talking about mysql/mariadb client program?" Yes.

[pessoal2004]

On 11/22/2021 at 2:13 PM, lesley said:

Its always going to be slow and you are going to always get latency doing what you are wanting to do. But the easiest way to do it, would be to bind mariadb to port 443 on the database server, block all ips from accessing port 443 except your main machine. But like I said, it will be slow because oft the ssl negotiation. 

"it will be slow because oft the ssl negotiation" Unfortly it's true, and we can't find a way around this.

[nickz]

4 hours ago, pessoal2004 said:

"it will be slow because oft the ssl negotiation" Unfortly it's true, and we can't find a way around this.

Rent 2 Servers from the same datacenter, one next to each other. 

 

[datakick]

12 hours ago, pessoal2004 said:

"Or are you talking about mysql/mariadb client program?" Yes.

Well, then what you are asking for is not possible. Thirty bees estabilish connection with mysql server directly, it does not use any third party program to communicate through. 

[pessoal2004]

Ok,
We will drop down this configuration.
Thanks for your help