I've spent quite some time now trying to figure out how to pass a few rows from a server inside a SonicWall VPN to a remote VPS cloud server. The server inside the VPN is Microsoft 2003 running SQL Server 2005, the destination server is a CentOS 6 with MySQL. I've been unable to find a way for the CentOS to easily and securely access the MSSql server from outside the VPN. I have extremely limited knowledge of SonicWall or other firewalls in general and I really don't want to open the door to security risks. So in light of this I've come up with the following solution:
1) A scheduled PHP script extracts the rows and encrypts them in AES-256 inside a password protected excel file
2) The script then uploads the excel file to my remote server using FTP
3) The remote server, having the same encryption keys, decrypts the file and uploads the rows to the MySQL database.
Two questions:
1) Is this a safe method of moving sensitive data from one server to another?
2) Is there an easier way to access the data that I have not thought of?
You're involving FTP and files for what is essentially a system-to-system transfer which can result in trouble due to file locks and just looks ugly.
A better approach would be to have the remote CentOS box expose a port / web service that is exposed by HTTPS which requires client side authentication :
Your script retrieves the rows from some source
The script converts the rows to a form the server can read
The script calls the port exposed by the client, this is an outgoing connection so should be easier to get outside the VPN (based on the fact that getting an FTP connection outside the VPN is possible)
The script verifies the server side certificate and provides it's own client side certificate and transmits the rows over SSL
The CentOS host receives the rows and processes them as required.
With your current approach you will need to secure the FTP connection somehow, to do so securely will require both the service and client to authenticate themselves to one another and SSL does most of the heavy lifting in that regard in terms of connection negotiation and protocol flow.
Related
I would like to host az FTP server on: mywebsite.domain/ftpserver.php
The XAMPP server runs on my computer.
The php is important, because I would like to authenticate the users using their passwords in the mysql database, and their directory's name is also stored in the database.
Or if there is a free ftp server, then how could I create ftp users from the php?
I know that this question is some years old, but for my opinion, the accepted answer is not correct.
You can omit the webserver (XAMPP / Apache) and run a PHP script from command line. This PHP scripts can listen to a tcp port (e. g. port 22, https://www.php.net/manual/en/function.socket-listen.php) and so it can receive (FTP) requests directly from a client. You will reach the server via mywebsite.domain. mywebsite.domain/yourscript.php is not necessary because PHP will listen directly to the given port.
But there's a big backdraw: You have to implement the complete FTP protocol by yourself in PHP. And that's a quite big task and you have to know what you do.
This can not easily be done. PHP works, almost always, with a webserver, serving HTTP and HTTPS request, not FTP requests. You could configure it to answer to FTP requests on port 22, as said in the other answer, but then you still have to process all the FTP requests.
A second point would be; Why FTP? You can serve files with the HTTP and HTTPS protocol as well. The only limitation is that users cannot use a custom client, they have to use a browser.
I have an application written in VB.net that runs on a clients pc.
I also have a website written in mostly javascript, http and php.
The thing I want to do is to connect the website to the application, so that when i.e. a certain button is pressed, it connects to the client application and raises an event.
I have tried approaches like TCP socket communication by having a TCP Socket Server running in the background of the client application. I can connect to the server by having a client connection from another vb.net application, but whenever I try to connect through PHP it fails. (I have only tried PHP since server-side scripting seems to make more sense in this case)
Another approach I have tried is to have an HTTP server running in the background of my desktop application and then have a PHP script connect to it, that fails as well.
One thing that I've been thinking about as a last resort is to simply have a textfile on the webserver and a PHP script writing to it after given parameters and then have the client application to read the file every few seconds. But this wouldn't be very efficient with larger amounts of data, would it?
What is the proper way of doing this?
If you have any questions about the code I've been using, feel free to ask.
If you don't get my blurry explanation, try this image: http://i.imgur.com/8njxVFj.png
Thanks in advance.
To have your data more organized i would suggest you to store your data on a database server for example mysql (which is free).
I need to connect to a webservice which is behind of a VPN via PHP. My server is Debian Linux (Squeeze).
Is it possible to accomplish this via PHP on Linux?
Is it risky to do this if it is possible? (When VPN connection hangs etc., does the operating system or any other what-so-over handles the situation)
I have only one network card, therefore I really wonder whether it is possible to keep server online for normal users while "posting data over an accomplished VPN connection in the background".
Although my question seems to a conceptual question, any specific help is also welcome.
Server OS : Debian Linux Squeeze (x64)
Web Server : Apache HTTP
PHP Version: 5.3
Framework: Symfony 1.4
VPNs are at a network layer below PHP, PHP won't know or care that the connection is over a VPN or a normal connection. It's handled by the network stack.
If you use a permanent one (e.g. IPSEC) then PHP doesn't need to create the connection, it's just there to use when PHP connects to an IP address that is in the VPN. It is selected to use by the network layer when it does the routing, not by PHP. This is true even if you create the VPN on demand, as jderda suggested using exec() or similar. But a permanent connection is better (IPSEC).
So to answer your questions:
The question doesn't make sense, the only way PHP could do this is using PPTP or similar and exec() to bring the connection up, but better to use IPSEC
If the VPN connection hangs/dies PHP won't get a connection to the remote end and will timeout the connection.
Yes it is.
From PHP point of view, the VPN is just a plain network connection. It does not require additional handling.
If you want to dynamicaly estabilish a VPN connection, you'll probably need to use exec() and some commandline tool for estabilishing a connection. But as such connection doesn't interfere with normal network communication (as long as it's properly configured, with other subnet ip range), you should estabilish it once and keep it active for PHP and other apps to use.
I have a form that users can fill out, and the data will be stored into a MySQL database using PHP. The connection to the Apache server is encrypted through HTTPS, and I would like to encrypt the connection to the MySQL database. Both Apache and MySQL are on the same server machine.
I digged around the Interweb and Stunnel seems to be what I need. OpenSSL and SSL are supported and activated on the server, since the we are given the option of using the standard port and a stunnel port to connect to the MySQL server. However, all the articles I found online deal with using Stunnel to connect a MySQL client to an external MySQL Server, but not how to use PHP to connect to a local MySQL server. Am I right to assume that just because the form is transmitted through https, it doesn't mean that the connection to the database is also encrypted?
The PHP code I use to connect to MySQL is like this:
$mysqli = new mysqli("ip","user", "password", "database", "standardport");
This works fine using the standardport. However, if I change it to a Stunnel Port, I get a connection time-out error. Clearly I'm missing something; any help and advice is appreciated! Thanks!
You've already stated that you use an HTTPS connection to encrypt traffic between the clients browser and your webserver, and that the webserver and MySQL instance are on the same machine.
Assmuning the HTTPS connection is secure, this should be all you need to protect your data over public networks, and using a secure tunnel for a connection that is only present on the local machine simply adds an unnecessary layer of complexity.
Consider the following examples.
The first is how the connection looks without a secure tunnel.
browser <--HTTPS--> [ webserver <--> mysql ]
So in this scenario, the the connection between the webserver and mysql is unencrypted. Someone who has access to the machine (depending on permissions) will be able to observe all traffic between the webserver and/or read the physical databases from disk themselves.
Now, with a secure tunnel
[ webserver <--> stunnel <--ENCRYPTED--> stunnel <--> mysql ]
I hope you can see that the connections between the webserver and one secure tunnel endpoint, and the connection between mysql and the other endpoint are both unencrypted. In this scenario, exactly the same as before, someone with access to the machine could potentially see all traffic and read the databases from disk.
No additional security has been achieved.
Lastly
[ webserver <--> stunnel ] <--ENCRYPTED--> [ stunnel <--> mysql ]
When you are using two separate servers, then the local traffic is still unencrypted, however stunnel secures the stream between the two machines. Someone with local access to the machines may still be able to observe traffic and read data, however someone observing network traffic between servers will not.
A solution?
All that said, if you really want to encrypt the traffic between PHP and MySQL, even on the same machine, a slightly better solution exists than using stunnel.
MySQL supports SSL natively, as does PHP when both are compiled with SSL support. (Your installations may already be configured this way, it's up to you to check them)
The MySQL manual details how to configure your MySQL server with SSL support and PHP provides the function mysqli_ssl_set
Using this combination, you can natively encrypt the connection between PHP and the mysql server.
[ webserver <--ENCRYPTYED --> mysql ]
However someone with access to the machine may still be able to read the unencrypted database from disk, and may be able to observe the memory of running processes.
You are quite right, the internet is a dangerous place, and proper security is essential. If your server itself and the data it contains are not secure, all is lost, no matter what precautions you take securing how the data enters and leaves it.
I have a local intranet application which runs off a basic WAMP server in our offices. Every morning, one of our team members manually syncs our internal mysql db with our external mysql db (where our online enrollments occur). If a change is made during the day on the intranet application, it is not reflected on the external db until the following day.
I am wondering if it is possible to (essentially) tunnel to an external mysql connection from say a wamp or xampp server from within our offices and work in 'real-time'.
Anybody had any luck or advice?
Yes
Replication enables data from one MySQL database server (the master) to be replicated to one or more MySQL database servers (the slaves). Replication is asynchronous - slaves need not to connected permanently to receive updates from the master. This means that updates can occur over long-distance connections and even over temporary or intermittent connections such as a dial-up service. Depending on the configuration, you can replicate all databases, selected databases, or even selected tables within a database.
If you use the external server directly, performance is likely to suffer. A Gigabit LAN might be a thousand times faster than your Internet connection - particularly the upload speed of an ADSL connection.
Just make your internal application use the database from the external one. You may need to add permission to the external server to allow connections from your internal server IP, but otherwise this is just like having a webserver and sperate db server that need to access each other.
Can't really tell you how to do this here - it all depends on your specific configuration, something that I would thing is a little complicated (and too specialized) to figure out on SO.