I want to connect to a remote database from my localhost, but the remote DB only allows connections from whitelisted IPs.
Since I'm on a dynamic IP from my ISP, I can't have my home IP whitelisted, because it will just change again.
I have a VPS with full root access and a fixed IP, which is whitelisted.
What I want is to:
Run a php script from my local machine
Connect to the remote database via my VPS
Get the query results back to my local machine for handling
How do I do this?
Having a PHP proxy to execute arbitrary SQL statements from any IP address is really dangerous. I would suggest you abstract the SQL statements into an API, so rather than allowing any query through, you limit it to a specific set of queries to retrieve or update specific data. Your local machine could then just call that API to retrieve or update information.
The key problem you need to solve is finding a host with a static IP address you can add to the whitelist. You say that you have already solved that problem. However you have not mentioned what OS is running on the vps nor the client. If both are Linux, then you can do this with just iptables. If either or both are mswindows then you could use socat, but if it were me, I'd go with a stunnel link between the client and proxy (although if the whitelist on the server is only applied to the mysql connection, you could terminate the stunnel connection on the server and skip the proxy altogether) using client certificate authentication or an SSH tunnel.
Related
I try running a php script on a external server and hosting. I selected byethost because it's a free service. All my system run excellent, except this script. I search information and i not found anything.
exec('mysqldump -u useronserver -ppasswordonserver clinicasbv >' . RESPALDOS_DB_L . date('Y_m_d_g_i_s', time() - (21600 - 3600)) . '_clinicasbv_backup.sql');
This code working perfect on my virtual host in my machine, but not work in byethost.
So, i need a root privileges or anything for running this script in a
external server? I need this script working on a external server, it's all
It is very likely that the hosting provider has blocked your ability to run the "exec()" function. It is technically a security risk to allow it. You should find another way to get the MySQL dump, i.e. connecting remotely using a MySQL system or using the PHP MySQLi functions.
To do this, the connecting host will preferably need a static IP address otherwise you'll need to re-do this guide each time their dynamic IP address from their ISP changes.
You can allow access from cPanel for MySQL itself. We'll also need to setup an allow rule through the firewall which is covered here.
Login to your cPanel.
Go to Databases ยป Remote MySQL.
Enter the IP address of the computer that will be making the remote connection.
Click the Add Host button.
Now we need to allow the person's IP to be able to connect to port 3306 which is closed by default. The best way to do this is with a firewall rule specific to their IP and port 3306 and how to do this for CSF is detailed here.
I am working on a project for an app that allows Android to remotely connect to an MySQL Database using a PHP API.
Users have requested that the app should support SSH Tunneling which I have been looking into but I have a few concerns regarding this.
How the app works is the API runs on my web server (the user has the option to install on there own servers but most don't) so Android sends a post to the PHP API, and then PHP directly connect to a MySQL Host that was sent in the post message from android, this is all working fine.
However, if I want to support SSH tunneling, my understanding is that my Android app would still post to my PHP API, but instruct to open an SSH tunnel, for example forwarding local port 3307 to remote host example.com on port 3306. Then PHP would connect to MySQL via 127.0.0.1 on port 3307.
This is fine, except if another user then decides to use port 3307 at the same time another user is doing a tunnel the second user would clash as the first user already has 3307 open so they would need to pick a new port.
I thought that then the best work around for this would be the API has a pool of sockets that it can use and picks one that is free and connects via that local port via the specified remote port that android sent. E.g. the API will for example pick local port 5000 and forward to 3306.
My worry here is that although this would work, there is a potential risk that two users could make a request at the same time, and the API picks the same port number to use as a local port, e.g. 5000, as this port is technically free but then one user would successfully connect, and the second user would end up connecting to the first users servers, and hopefully fail to authenticate but still, potential risk here.
Am I thinking of this the correct way, or is there a better way, or should I only support the SSH tunneling option if the user is running the API from there own web server instead of mine so there would be no risk of clashing with another unrelated user.
I'm needing to synchronise two mysql databases between different servers on a regular basis, by a client-initiated interface. I've been doing it by remote MYSQL connection, and adding the IP of the servers to the whitelist for MYSQL remote connections. Problem is however, that the client has a dynamic IP, so as soon as it changes they can no longer sync.
So I'm trying to find an alternative way of synchronising the two databases via some sort of secure php script.
edit: I should make this a bit clearer. I've got a server (WAMP) running on a PC (Win7) the database of which I need to synchronize (both ways) to an online server. I've been doing it via remote MySQL connect, which I'd like to avoid because of dynamic IPs, and also because the local WAMP server connects to different internet connections (being a laptop) and needs to not be restricted to one IP.
However you want to synchronize the databases (replication, a PHP script, etc.), the best way to secure it would be to either use an IPSec/VPN or SSH tunnel to encrypt all the communication between the two servers. Then you'd just open a regular mysql or http connection through the tunnel.
Using either method, you'll have access to a variety of authentication modes. So you could use a pre-shared key or username/password authentication or both.
You can use an SSH client like PuTTY to initiate an SSH tunnel on a Windows systems. Or if you google IPSec and XAuth, you should be able to find some guides on how to set up an authenticated IPSec VPN.
I have set up my wordpress site on my local machine and I would like it to talk to the live mysql database on the server. I accessed the wp-config.php file on my machine and changed the hostname to use the ip address instead of localhost, but it will not work.
What do I need to do?
It could be that your remote database is configured to accept connections only from localhost for security reasons. Most web providers set it up that way. In that case, you have no chance of making this work.
Anyway, even if you would get it to work, you will encounter two problems: It will be awfully slow, and the HTML served by the remote database will contain references to server URLs (as opposed to local ones).
If you need more detailed information, you will need to post any error messages you get from mySQL.
Alternatively, you can try running the mysql command-line utility to connect.
mysql -u username -h server -p wordpress_database
Make sure that works first before attempting to get Wordpress to connect.
My guess is you won't be able to connect due to firewall issues. MySql uses port 3306 by default, so if the server's firewall doesn't allow connections through that port, you'll either have to change the port mysql is using (probably a bad idea if other apps expect to see MySql on that port) or get that port opened on the server (make sure you only open it for local IPs, so someone else can't get to your MySql instance!)
So I need to connect to a mssql server via Windows Authentication from a Unix server. Here are the obstacles:
The db admin created a service account but made it Windows-Auth only, meaning I can't pass the username and password directly to the server to connect.
The admin also added my host's server to the firewall so that it would only accept requests from my host machine.
My host server has mssql enabled via freetds/sybase-dblib, but has the default 'secure-connections: Off' still set.
I have a similar set up on my personal machine, but with secure-connections on, but I can't connect that way since I'm firewalled.
So I'm wondering if it's possible to set up a proxy of sorts on my host so that I can start the connection on my personal machine using my local freeTDS library, but have the request pass to the host which would (in my dream world) not require secure connections to be on but simply would pass the request along so that it came from my non-firewalled host but using the correct authentication method.
If anyone is not familiar with how Windows-Authentication works, it's a type of Kerberos authentication where the client machine makes the request to the remote server so that credentials are never actually sent (and thus can't be compromised by a man-in-the-middle). So I'm very doubtful that this can be done, since at some level my host machine has to do the actual work. But i thought I'd ask since I'm not totally clear on the deeper mechanics and because I really want to get this to happen.
I guess another way of looking at it is I want to use my host as a kind of VPN.
Also, I am working with my host admins to find a more long-term solution but I need to see the database as soon as possible so I can have something working when the problem gets fixed.
Why don't you try SSH port forwarding? Ie. you connect to your host server, and tell it to forward a local port to the sql server. Then you connect on your local machine using localhost:port and your connection will be tunneled over ssh through your host server.
If your local machine is a Windows machine then just download PuTTY and follow these instructions to set up port forwarding : http://www.cs.uu.nl/technical/services/ssh/putty/puttyfw.html.
The question is of course whether your Windows credentials will be passed, but in theory this should work :p.