Firewall between application and DB server_问答_开发者

Firewall between application and DB server

开发者 https://www.devze.com 2023-02-13 02:03 出处：网络

We are planning to launch our application in production. The application has numerous modules – PHP code on Apache, tomcat java applications, C++ code applications.

We are planning to launch our application in production. The application has numerous modules – PHP code on Apache, tomcat java applications, C++ code applications. All these modules need to connect to MySQL database.

We would like to separate the application and the database into two separate security layers by putting a firewall in between. This is to completely isolate DB servers from any not relevant access to protect sensitive data. The firewall will only allow connections from the servers running the application to the DB servers on MySQL port.

Usually, firewalls will drop connections if its idle long enough. This can badly effect connectivity between applications and the database. The connection failure needs to be detected and re-initiated by the application and this logic is not implemented everywhere.

Question: 1. If making the application more tolerant to the lost connectivity scenario is not an option, what is the best way to resol开发者_如何学JAVAve the problem? Can firewall be set in a way which will not cause this behavior? Not expiring the connections at all will fill the connection table and crash the firewall. To set the expiration time to higher values can also risk filling up the connection table at peak times and it is not always clear which time interval is long enough… 2. Will such security layering schema bring any real security benefits in the first place?

Thank you in advance.

Julio.

The firewall will only allow connections from the servers running the application to the DB servers on MySQL port

I think is the safest way to protect something. Of course also have a username and password for accidental database errors by developers.

In tomcat, you can add something like this to your context.xml:

    <Resource name="name"
        auth="Container" driverClassName="com.mysql.jdbc.Driver"
        logAbandoned="true" maxActive="100" maxIdle="30" maxWait="10000"
        type="javax.sql.DataSource" 
        removeAbandoned="true" removeAbandonedTimeout="60"
        username="user" password="password"
        url="jdbc:mysql://localhost:3306/dbname"
        testOnBorrow="true" validationQuery="SELECT 1"
    />

The textOnBorrow and validationQuery will ensure that the connection is live before application using it.

Try using a connection pool that does a heartbeat call to the database this will keep your connections active. In addition the connection pool will try to re-establish a connection to the database if any of the existing connections die.