0

I have a MySQL server installed on an Nginx server on Debian 8.

The production page on the server, say example.com has SSL installed in it.

This MySQL server will be used along with PHP to set and retrive data.

Now I am confused whether to add SSL for the connection between client and MySQL server? What is the best practice?

dur
  • 15,689
  • 25
  • 79
  • 125
Ajay Singh
  • 692
  • 8
  • 19
  • 1
    Since both http and mysql server are on the same system there is no network communication to be protected. Ideally you use a file system based socket anyway. – arkascha May 02 '17 at 15:42
  • Client > Nginx/PHP (HTTP server) > MySQL ... the Client never talks directly to MySQL ... or am I misunderstanding the question? – CD001 May 02 '17 at 15:45
  • Since I had previously used a managed server, forgive my lack of knowledge on the server terminology. I have a ssl encrypted nginx server say 'example.com' has a file in it, say 'example.com/connect.php', which will connect to the mysql server installed on the same nginx server and run queries. Do I need need ssl for mysql_server? – Ajay Singh May 02 '17 at 16:23

3 Answers3

0

If the traffic runs through app to MySQL locally, your traffic is secure (as long as your linux server is secure).

You don't need ssl for MySQL to app if the app only accesses MySQL locally.

You need ssl if anyone will be accessing MySQL remotely or if your app server is remote.

penguindba
  • 1
  • 1
  • Thanks for the comment. Regarding 'linux server being secure', I am not sure. Please refer to my other question > http://stackoverflow.com/questions/43741824/best-practice-to-handle-default-server-and-ip-forwarding-in-nginx where the public ip address open a default host page and has no ssl in it. Another page in the same server which points to this ip address has ssl in it. I am interested in using this page for mysql connections. Since mysql_server is running on the same server, which has one page with ssl and a default page without ssl. What are the implications? – Ajay Singh May 02 '17 at 17:49
0

You will need to worry about those two things the most.

Transport Security. Does MySQL traffic ever leave your local network? If so, is it encrypted during transmission? If you are doing everything locally, then you have nothing to worry about. If your database connection goes across internet, make sure to use SSL.

System Security. Is your MySQL server accessible from internet? Does it need to be? If not, just add rule into iptables to block all incoming traffic to 3306 that's not from localhost. Also make sure that you are using strong SSH passwords and implement fail2ban, or allow key based authentication only.

Dimi
  • 1,255
  • 11
  • 20
  • Regarding 'transport', it will not leave the local network and I have ssl encrypted the server names, say 'example.com' and 'www.example.com' but unsure about the ip address. Please refer to my other question on stack http://stackoverflow.com/questions/43741824/best-practice-to-handle-default-server-and-ip-forwarding-in-nginx and regarding 'system', it is accessible only from the php file on the server. And i am using ufw to block all traffic and allow only ssl ports. Is it enough or should i go for fail2ban? – Ajay Singh May 02 '17 at 16:17
0

SSL is good to help protect your clients. Sniffing packets may be thwarted by SSL. For example, if someone does a credit transaction, the credit card data would not be in plain view, as the data moved between the client to the server. However, SSL is not a way to protected your SQL resources, which is backend between the web serer and SQL database server. You need to run "mysql_secure_installation" for a mysql database, and design you PHP code to prevent SQL injection issues, for example. So, yes, SSL is very important to protect your clients, but other design factors are needed to protect your backend server assets.

Patrick
  • 31
  • 5
  • I have already done 'mysql_secure_installation'. I had seen in some online resources about adding ssl to mysql server > http://xmodulo.com/enable-ssl-mysql-server-client.html and mysql page also had mentioned about securing connection > https://dev.mysql.com/doc/refman/5.7/en/secure-connections.html and also mentioned in cipherli.st. Got me confused there. – Ajay Singh May 02 '17 at 17:43
  • Yes, I see what you're saying. If you're users are in an intranet...like a corporate business, then maybe SSL could help, for example. But in a internet setup, your web server should be the only way your clients can connect to you. If they can access your MySQL database, then you need to rework your firewall. Generally, in an intranet, you won't need to use SSL. However, if some hacker did install a packet sniffer, then they could get more stuff. If they can do that, then that's already pretty bad. – Patrick May 02 '17 at 17:51
  • As you say, "web server should be the only way your clients can connect to you". I am not well versed with the terminology. If I got a public ip x.x.x.x from vps and when I installed nginx, it forwards to a default welcome page. And I create a new site on the same server, say example.com with ssl on it. When I load https://example.com it loads a page with green address bar. And when I load https://x.x.x.x it loads the same page without green address bar. So if I have a php script running mysql queries on example.com, will it be accessible from https://x.x.x.x? – Ajay Singh May 02 '17 at 18:06
  • Please refer my other question too. Thanks for the help. http://stackoverflow.com/questions/43741824/best-practice-to-handle-default-server-and-ip-forwarding-in-nginx – Ajay Singh May 02 '17 at 18:06