Yii Framework Forum: MySQL through SSH Tunnel? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

MySQL through SSH Tunnel? Rate Topic: -----

#1 User is offline   Ocean Wind 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 63
  • Joined: 14-September 10
  • Location:Denver, Colorado, USA

Posted 09 April 2012 - 04:17 PM

I need to connect into a remote MySQL DB that allows only localhost connections.

Is there an elegant, Yii way to create a MySQL connection through an SSH tunnel via the main config file?
0

#2 User is offline   Ivica 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 317
  • Joined: 25-May 11

Posted 10 April 2012 - 01:23 AM

Before initializing db component, you need to start tunel as(on Linux servers):
ssh -f user@mysql-server.com -L 3306:mysql-server.com:3306 -N
Once tunel is opened, in main.php config file, for db host use localhost, and enter your mysql server username/password.
Zurmo: Yii Powered Open Source CRM
zurmo.org
0

#3 User is offline   Ocean Wind 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 63
  • Joined: 14-September 10
  • Location:Denver, Colorado, USA

Posted 20 April 2012 - 02:24 PM

Thanks. That's just what I was looking for.
0

#4 User is offline   Pakotski 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 2
  • Joined: 31-October 12

Posted 14 December 2012 - 04:37 AM

Can someone clarify where you have to start this ssh tunnel?
For me it seems that this is not possible in the main.php config file? So where is the db component initialized?
0

#5 User is offline   Da:Sourcerer 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,222
  • Joined: 30-March 11
  • Location:Berlin, Germany

Posted 14 December 2012 - 04:47 AM

Hm, I wonder if MySQL's built-in SSL transport weren't the better solution. One could still restrict IP access via iptables.

@Pakotski: Chances are that you cannot do that via PHP. Write a script for initd/systemd/upstart to take care of that.
programmer /ˈprəʊgramə/, noun: a device that converts ►coffee into ►code
0

#6 User is offline   Boaz 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 367
  • Joined: 23-January 11

Posted 14 December 2012 - 05:51 AM

View PostPakotski, on 14 December 2012 - 04:37 AM, said:

Can someone clarify where you have to start this ssh tunnel?
For me it seems that this is not possible in the main.php config file? So where is the db component initialized?


In continuation to what already answered, while it is possible (with SSH keys and passwordless login...) you would not wish to setup and destroy SSH tunnel with each request since it takes relatively lots of time to establish this tunnel. A few seconds usually.
Its like you're actually digging up a tunnel from the web server to the MySQL server and you wouldn't want to destroy and build it again on each request.
Therapeutic PHP sessions My LinkedIn Profile
0

#7 User is offline   Da:Sourcerer 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,222
  • Joined: 30-March 11
  • Location:Berlin, Germany

Posted 14 December 2012 - 05:55 AM

Actually, I just remembered that I once used a setup of xinetd+stunnel in order to protect a cvs server of mine. It's not the fastest solution, but at least for cvs response times were acceptable.
programmer /ˈprəʊgramə/, noun: a device that converts ►coffee into ►code
0

#8 User is offline   Pakotski 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 2
  • Joined: 31-October 12

Posted 14 December 2012 - 07:25 AM

OK, so the best solution seems to setup a SSH tunnel on startup of the server. Will try!
0

#9 User is offline   Boaz 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 367
  • Joined: 23-January 11

Posted 14 December 2012 - 08:01 AM

View PostPakotski, on 14 December 2012 - 07:25 AM, said:

OK, so the best solution seems to setup a SSH tunnel on startup of the server. Will try!


If this tunnel is critical or important enough, be sure to check the availability of the tunnel. It can hung up sometimes.
Therapeutic PHP sessions My LinkedIn Profile
0

#10 User is offline   glyph 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 16
  • Joined: 20-April 12
  • Location:Michigan, USA

Posted 14 November 2013 - 11:30 AM

What's the story on using MySQL's built-in SSL connection security with Yii? I'm preparing to separate application and db server in a Yii app into 2 physical servers and would prefer to use MySQL SSL connection instead of SSH tunnels. SSH tunnels are not a good scalable option for enterprise level services. Is there any support for MySQL SSL already in Yii? I haven't found any information about it anywhere but this thread.

Thanks for any tips you have before I get started with this.
-------------------------------------------------
Glyph Imaging and Data Services
0

#11 User is offline   ORey 

  • Elite Member
  • PipPipPipPipPip
  • Yii
  • Group: Members
  • Posts: 1,701
  • Joined: 20-April 09
  • Location:Moscow, Russia

Posted 14 November 2013 - 12:17 PM

View Postglyph, on 14 November 2013 - 11:30 AM, said:

What's the story on using MySQL's built-in SSL connection security with Yii? I'm preparing to separate application and db server in a Yii app into 2 physical servers and would prefer to use MySQL SSL connection instead of SSH tunnels. SSH tunnels are not a good scalable option for enterprise level services. Is there any support for MySQL SSL already in Yii? I haven't found any information about it anywhere but this thread.

Thanks for any tips you have before I get started with this.


http://www.yiiframew...ssl-connection/
God is real unless declared as integer
0

#12 User is offline   nineinchnick 

  • Master Member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 622
  • Joined: 12-September 11
  • Location:Bialystok, Poland

Posted 14 November 2013 - 02:05 PM

I've got a bit of experience in using SSH this way.

I set it up using keys so I can allow connecting through SSH only to the exact specified service, no shell is available.
To set up the tunnel on demand, I use inetd or xinetd or lately even systemd to fire up SSH when a connection comes to specified port on localhost.
There is a considerable amount of overhead when establishing a connection but otherwise this works flawlessly. You don't have to monitor the tunnel because it's set up on demand. Also, you can enable compression.
I guess if you use persistent connections to MySQL in PHP that connection overhead should be bearable. At least I don't notice it when connecting manually.

If anybody is interested I could post all the details how to do that here or on the Wiki.

Another advantage to this is that you can use this for ANY service, not just databases. That's why this is sometimes called "poor man's VPN" :-)
Don't be a dick.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users