开发者

Accessing n tier database with Navicat

开发者 https://www.devze.com 2023-03-07 23:13 出处:网络
We just made our web system more secure by converting a single web server/database server into a 2 开发者_StackOverflowtier system with the webserver in front of the database server.The webserver has

We just made our web system more secure by converting a single web server/database server into a 2 开发者_StackOverflowtier system with the webserver in front of the database server. The webserver has 2 NIC's, one for the outside world and one for an internal network. The database server has one NIC for the inside network.

In the old days, I could use Navicat's SSH feature to connect to the single websever/database server. Now the database server is hidden.

Using the command line I can ssh to webserver and then ssh into database server. But I miss my graphical tools. Is there any way to get Navicat to connect to the database server? Is there something I can set up on the webserver that will proxy to the database?


Short answer: You shouldn't connect to the database server through the web server. Yes, there are ways you could set this up, but I wouldn't recommend it if your goal is increased security.

There ought to be a way for you to VPN in to the internal network, and then ssh to both hosts from there. The security benefit is largely in reducing the attack surface on your externally accessible machines, so you'd be better off turning off ssh entirely on the external interface, then VPN-ing in to the internal network (which I hope is firewalled to only allow database traffic between the two servers, not that the web server has a NIC that's on your internal network!) Once you're on the internal network you can have Navicat connect directly to the server, without the need for ssh tunneling. (Obviously you'd need to set the firewall policies on your VPN tunnel correctly to allow this.)

If this setup is not possible, such as if you're using a low-end shared webhost, see these instructions to set up an HTTP Tunneling connection through the webhost. I really would recommend using the VPN solution if you can, but if you can't, HTTP Tunneling is the most secure way to support connecting directly through the web server to the db server.

0

精彩评论

暂无评论...
验证码 换一张
取 消