New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Splitting up app (php) and database (mysql) server; best practices and guidelines?
Hi all,
I am currently researching the different options available for splitting up app (php) and database (mysql) server away from one single server. Installing the servers and software is not the issue, but my main concern is the communication between the two. How can one assure that this is done secure?
The most easy way would be to just enable remote mysql access for the appservers ip, but that is probably not that secure. I also read about setting up sshtunnels between the boxes, but that sounds pretty iffy too. I know for example that @Francisco offers shared remote mysql, how is this done and can somebody please help and advise me?
Thanks for your time all!
Daniel
Comments
You could build a secure tunnel/VPN between the systems and then use private IPs over the tunnel. That way you would communicate from the app to the SQL server using private IPs.
Make sure that the SQL server does not bind to the public IP address on the SQL server too.
I'll suggest you use a rest api on db server on a secure web server port and perform requests from your other server using post / get ( depends on the data being retrieved ). Binding mysql server or any db to a public ip is suicide.
There's only one option, use a secure vpn connection. Communication between the client and server with mysql is unencrypted.
You don't necessarily need to use a VPN for remote MySQL connections - MySQL supports TLS completely.
Easy peazy - enable myslq listening to remote connections and use a firewall to drop all connections except the ones from the php server.
Or you can go get a server from a datacenter that provides private networking.
Easiest would be to use an SSH tunnel/VPN but there is always SSL connections, it is a little tricky though and you will have to build a mysql library and server that supports SSL. Also all connections will need to force SSL connection as it is not enabled by default so may not be ideal for shared hosting type usage.
Except some are not that private! Some still have the issue that they trust incoming VLAN tags from the 'private' port so you can jump to other people's vlans.
OK, TBH, I don't have much experience with that kinda private networks so I can't even argue. It is an option though.
Well, a VPN is the best way here if you want security. But in case the vpn restarts or disconnects there might be slight latencies/errors in such a case.
Imho, this is a very bad approach because you're using your application layer to solve a network layer issue.
Well...
Why not use a host with private networking?
Host is already decided and currently runs both mysql and php on the same box, but imma try to find out if it supports private networking!
Like other said, it should be too bad to set up a VPN/tunnel to have the app server and the db server to communicate on private IP address between each other.
Other (probably lazier but quicker) ways to simple have IP tables rules to only allow incoming communication from app server to your DB server.
Thanks for all input so far. I couldnt find lots of credible tutorials on this matter.