2

Consider the below network configuration:

enter image description here

A client connects with its workstation to the application server on the Web. The application is full HTML, so only browsing through HTTPS is enough to launch an application.

On the other hand, the application server will need to access to the MySQL DB on the LAN.

So the question is the following:

how can I connect the remote application server to the local Mysql DB, using for instance a bounce on the client worsktation (where I can install any client) ?

PS : I can't change FW rules but I have full credentials to the application server and to the client workstation.

Dom
  • 21
  • 2
  • a webapp with client-side db ? This is madness ! More seriously: ServerFault is a better fit for your question, you should move it there (more people with the skills to answer). – Alex Jan 21 '14 at 13:00

1 Answers1

0

It is unlikely that any port is forwarded to your client station, so even using the ugliest hacks, it is probably impossible to proceed with this approach.

Besides, allowing remote access to your database is a security risk, and bypasses your sysadmin's security policy. I wouldn't really appreciate it if I were her ;)

Alternatively, I would create a mechanism that allows the application server to "request" data from the client. The client still initiates connections to the AP and to MySQL, it essentially acts as a proxy:



Client         App Server         MySQL
  |                |                |
  | requests URL   |                |
  |--------------->|                |
  |                |                |
  |  requests Data |                |
  |<---------------|                |
  |                |                |
  |                |                |
  |  queries MySQL                  |
  |-------------------------------->|
  |                |                |
  |                    returns Data |
  |<--------------------------------|
  |                |                |
  |                |                |
  | pushes Data    |                |
  |--------------->|                |
  |                |                |
  |   returns HTML |                |
  |<---------------|                |
RandomSeed
  • 283
  • 1
  • 10
  • Yeah, this really, *really* is unusual an architecture :o) – RandomSeed Jan 21 '14 at 13:10
  • I agree this is unusual. The reason is that the App Server is used as a service and is not owned by the client besides the Firewall. – Dom Jan 21 '14 at 15:52
  • Your schema is something we'd like to achieve, but avoiding using a thick client. So we'd like to know if a kind of "bounce" technology, like some iptables redirections on client workstation, could suffice. – Dom Jan 21 '14 at 15:58
  • 2
    May be the best way to achieve that is reverse SSH tunneling: http://www.howtoforge.com/reverse-ssh-tunneling – Dom Jan 21 '14 at 17:57
  • I didn't know about this technique, but it seems to be a very possible option. The question remains, whether this is good practice. This could be a serious security hole, and I would definitely discuss this options with the LAN admin. – RandomSeed Jan 22 '14 at 22:26
  • Oh questions about reverse SSH do belong to ServerFault, if you want we can migrate your question over there, just let us know. – RandomSeed Jan 22 '14 at 22:27
  • Thks for your answer. Yes, I am interested if you can migrate this topic on ServerFault (I have signed in on it also). – Dom Jan 26 '14 at 17:47