开发者

Active Record (Rails) MySQL Secure Connection

开发者 https://www.devze.com 2023-01-27 07:07 出处:网络
Now, I haven\'t been able to find any good resources on this subject so I\'ll ask my question here and see if anyone has any suggestions/recommendations.

Now, I haven't been able to find any good resources on this subject so I'll ask my question here and see if anyone has any suggestions/recommendations.

I will be deploying a Ruby on Rails application soon (Active Record ORM), and my database (MySQL or PostgreSQL) will be located at an external location (outside of 127.0.0.1 range).

I am able to connect to the external MySQL database, simply by unbinding the address in the /etc/mysql/my.conf and adding a user that takes connections from external locations. However, since the data is being transferred from my application server to my MySQL server, how (in)secure is this?

Do I need to do some form of encryption? Does Active Record do anything in the background to protect data from being hijacked (or whatever you call it) during the transfer? Or is my data secure enough by default with MySQL and/or PostgreSQL whe开发者_开发问答n working with databases at external locations?

So in short: Is there anything (extra) I should be doing when my MySQL or PostgreSQL database is located at an external location, rather than when it's in localhost range?

Any suggestions, pointers, recommendations and resources would be much appreciated!

Thanks!


It strongly depends on how the application server and the database server are connected.

If the traffic is routed in the wild (i.e. you dont have a virtual private network connecting your servers), you can set up an SSL connection between your Rails app and MySQL:

  • MySQL supports secure (encrypted) connections between MySQL clients and the server using the Secure Sockets Layer (SSL) protocol. Reference.
  • ActiveRecord has options for SSL security (:sslkey and others in database.yml). Reference

Restricting external connection to MySQL from a given IP for a low privileged user still applies.


As well as looking at the option of running over SSL, you can and should lock the database server to only accept connections from specific IP addresses.

I would generally only run SSL if the connection is entirely untrusted as it can have some performance impacts.

0

精彩评论

暂无评论...
验证码 换一张
取 消