I am working on a project for an app that allows Android to remotely connect to an MySQL Database using a PHP API.
Users have requested that the app should support SSH Tunneling which I have been looking into but I have a few concerns regarding this.
How the app works is the API runs on my web server (the user has the option to install on there own servers but most don't) so Android sends a post to the PHP API, and then PHP directly connect to a MySQL Host that was sent in the post message from android, this is all working fine.
However, if I want to support SSH tunneling, my understanding is that my Android app would still post to my PHP API, but instruct to open an SSH tunnel, for example forwarding local port 3307 to remote host example.com on port 3306. Then PHP would connect to MySQL via 127.0.0.1 on port 3307.
This is fine, except if another user then decides to use port 3307 at the same time another user is doing a tunnel the second user would clash as the first user already has 3307 open so they would need to pick a new port.
I thought that then the best work around for this would be the API has a pool of sockets that it can use and picks one that is free and connects via that local port via the specified remote port that android sent. E.g. the API will for example pick local port 5000 and forward to 3306.
My worry here is that although this would work, there is a potential risk that two users could make a request at the same time, and the API picks the same port number to use as a local port, e.g. 5000, as this port is technically free but then one user would successfully connect, and the second user would end up connecting to the first users servers, and hopefully fail to authenticate but still, potential risk here.
Am I thinking of this the correct way, or is there a better way, or should I only support the SSH tunneling option if the user is running the API from there own web server instead of mine so there would be no risk of clashing with another unrelated user.
Related
I have a php script that accesses a mysql database. It lives on a server that has been migrated to aws (amazon web services). This server hosts a website that used to live on a physical server part of a private network.
The databases are still on that private network. I need to connect to a mysql database that is on a server with no public ip address. There is a vpn set up for this network.
I would like to ssh or vpn to the network from the aws server.
This is just to query something once a day.
I tried exec('ssh -f -L 3307:PrivateMYSQLServer:3306 USER#VPNADDRESS') but could not get it to work.
Is there a one liner that I can insert into the php script?
thanks
You’ll have to set up the server in which your script runs to connect back to your network via your VPN client.
Alternatively, you can set up a site to site VPN between your data center and AWS.
If you have a correctly configured site-to-site VPN (and routing tables, security groups, etc.), one end in your VPC and the other end in your private on premises network, then you don't need to create an SSH tunnel. Just connect to your database and run the query.
I want to connect to a remote database from my localhost, but the remote DB only allows connections from whitelisted IPs.
Since I'm on a dynamic IP from my ISP, I can't have my home IP whitelisted, because it will just change again.
I have a VPS with full root access and a fixed IP, which is whitelisted.
What I want is to:
Run a php script from my local machine
Connect to the remote database via my VPS
Get the query results back to my local machine for handling
How do I do this?
Having a PHP proxy to execute arbitrary SQL statements from any IP address is really dangerous. I would suggest you abstract the SQL statements into an API, so rather than allowing any query through, you limit it to a specific set of queries to retrieve or update specific data. Your local machine could then just call that API to retrieve or update information.
The key problem you need to solve is finding a host with a static IP address you can add to the whitelist. You say that you have already solved that problem. However you have not mentioned what OS is running on the vps nor the client. If both are Linux, then you can do this with just iptables. If either or both are mswindows then you could use socat, but if it were me, I'd go with a stunnel link between the client and proxy (although if the whitelist on the server is only applied to the mysql connection, you could terminate the stunnel connection on the server and skip the proxy altogether) using client certificate authentication or an SSH tunnel.
apparently my hosting provider does not support Remote MySQL Usage as it says in its Knowledge Base even though i bought a premium package
remote MySQL connections are disabled for security and performance reasons. You can only connect to MySQL from your PHP scripts hosted on our servers.
is there any way i can make an API so that i can connect to my MySQL Remotely ?. i need to use the Database in my Host Account as a source of information for my Android Application. thanks
You should look into using something like a HTTP Tunnel.
This post outlines a method of doing this for Android.
Basically you connect through this tunnel which is placed on your server, and can the communicate with the server as if you were localhost.
SSH is also another option, although you'll need remote SSH access enabled by your host. That's normally something you'll have to specifically request for them to enable.
You would then create an SSH tunnel using a technique like this and then use that as your connection for your database. Once you've initiated the connection you would then query it as normal.
There are possibilities here.
Your hosting provider may have allowed access of the database only
on certain IP(s) on certain PORTS. In this case, you cannot access
the database even if you write API's because the connection is not
open to the IP/PORT through which you are accessing through.
The database admin can also block access to certain table(s) or
database(s) for certain users.
I'm needing to synchronise two mysql databases between different servers on a regular basis, by a client-initiated interface. I've been doing it by remote MYSQL connection, and adding the IP of the servers to the whitelist for MYSQL remote connections. Problem is however, that the client has a dynamic IP, so as soon as it changes they can no longer sync.
So I'm trying to find an alternative way of synchronising the two databases via some sort of secure php script.
edit: I should make this a bit clearer. I've got a server (WAMP) running on a PC (Win7) the database of which I need to synchronize (both ways) to an online server. I've been doing it via remote MySQL connect, which I'd like to avoid because of dynamic IPs, and also because the local WAMP server connects to different internet connections (being a laptop) and needs to not be restricted to one IP.
However you want to synchronize the databases (replication, a PHP script, etc.), the best way to secure it would be to either use an IPSec/VPN or SSH tunnel to encrypt all the communication between the two servers. Then you'd just open a regular mysql or http connection through the tunnel.
Using either method, you'll have access to a variety of authentication modes. So you could use a pre-shared key or username/password authentication or both.
You can use an SSH client like PuTTY to initiate an SSH tunnel on a Windows systems. Or if you google IPSec and XAuth, you should be able to find some guides on how to set up an authenticated IPSec VPN.
So I need to connect to a mssql server via Windows Authentication from a Unix server. Here are the obstacles:
The db admin created a service account but made it Windows-Auth only, meaning I can't pass the username and password directly to the server to connect.
The admin also added my host's server to the firewall so that it would only accept requests from my host machine.
My host server has mssql enabled via freetds/sybase-dblib, but has the default 'secure-connections: Off' still set.
I have a similar set up on my personal machine, but with secure-connections on, but I can't connect that way since I'm firewalled.
So I'm wondering if it's possible to set up a proxy of sorts on my host so that I can start the connection on my personal machine using my local freeTDS library, but have the request pass to the host which would (in my dream world) not require secure connections to be on but simply would pass the request along so that it came from my non-firewalled host but using the correct authentication method.
If anyone is not familiar with how Windows-Authentication works, it's a type of Kerberos authentication where the client machine makes the request to the remote server so that credentials are never actually sent (and thus can't be compromised by a man-in-the-middle). So I'm very doubtful that this can be done, since at some level my host machine has to do the actual work. But i thought I'd ask since I'm not totally clear on the deeper mechanics and because I really want to get this to happen.
I guess another way of looking at it is I want to use my host as a kind of VPN.
Also, I am working with my host admins to find a more long-term solution but I need to see the database as soon as possible so I can have something working when the problem gets fixed.
Why don't you try SSH port forwarding? Ie. you connect to your host server, and tell it to forward a local port to the sql server. Then you connect on your local machine using localhost:port and your connection will be tunneled over ssh through your host server.
If your local machine is a Windows machine then just download PuTTY and follow these instructions to set up port forwarding : http://www.cs.uu.nl/technical/services/ssh/putty/puttyfw.html.
The question is of course whether your Windows credentials will be passed, but in theory this should work :p.