Mysql – Connecting to MySQL securely – MySQL’s SSL vs Stunnel vs SSH Tunneling

MySQLssh-tunnelsslstunnel

We have a PHP application which connects to a MySQL server, and we wish to secure connections between the web & application servers and the database.

At peak times, the web servers make many hundreds of concurrent connections to the database, and perform lots of small reads and writes. I'm aware this isn't optimal, and am working on reducing the number of database connections in parallel to this.

We don't have persistent connections to the database turned on currently, and although we intend to in the future I would like to implement this independently of that.

Hardware wise – the MySQL server is quite chunky (16 core) as are the web servers. They're dedicated servers.

My question then surrounds the most performant way of securing & encrypting the connections to the database server.

My research so far has suggested that the main performance overhead is with setting up the SSL connection – once SSL is connected there is little performance penalty. And here's what I have about each method of securing the connection:

MySQL SSL Certificates – works just like normal SSL. Can use client certificates to prevent unauthorised connections. No persistent connections with our existing setup. Still have to have MySQL listening on an open port on the firewall.
stunnel. Set up a port to port ssl tunnel. Do not have to reconfigure MySQL. Can close the normal MySQL listening port to prevent malicious MySQL connection attempts. Does not support persistent connections. Unknown performance hit.
SSH Tunneling. Create an SSH tunnel between the client and the server. Do not have to reconfigure MySQL. Can close the normal MySQL listening port to prevent malicious MySQL connection attempts. Supports persistent connections, but these sometimes drop out. Unknown performance hit.

This is as far as I've been able to get. I'm aware of the limitations of benchmarks – in my experience of running them it's very difficult to simulate real world traffic. I was hoping that someone had some advice based on their own experiences of securing MySQL?

Thanks

Best Answer

I would go with the ssh-tunnel and do it with autossh instead of ssh. About the performance I would say, that the SSH protocol is highly customizable and you could fine tune your connection, if needed.

But I would not expect a noticeable overhead after the connection is set up.

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

As you expected, this happens because SSH won't exit if there are outstanding connections going through the tunnel.

If you exit your browser (and all other programs that are going through the port 9000 tunnel) then SSH should exit.

The ssh man page says:

 The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections have been closed.

And I don't see any options to change that behavior, so I suspect there's nothing you can do.

Stunnel SSL-to-SSL for SMTP/IMAP on Ubuntu – Configuration Guide

I am not familiar with the specifics of 10.10, but I am going to assume that it is pretty close to Debian.

One thing you could do, is basically setup to separate stunnel configurations. On that accepts SSL, and forwards it to a local port, and another that listens on that local port, and then makes SSL connections to the external host. These two can be bound to the loopback interface only so unencrypted data will not cross the network. Just keep in mind that you are basically performing a MITM attack against yourself. I used a setup like this while I was helping diagnose some issues with a web service a guy was developing.

The packaged version of stunnel in Debian/Ubuntu should make this easy. The startup scripts will basically start an instance of stunnel for every configuration file (*.conf) found in /etc/stunnel4. So you can put the two separate configurations in /etc/stunnel4, generate your keys, restart stunnel and it should work.

So here is the first config that accepts the SSL

; /etc/stunnel/ssl_in.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/srv1.keys

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside chroot jail
pid = /srv1.pid

debug = 4
output = /var/log/stunnel4/ssl_in.log

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

[ssl_in_imap]
accept  = 993
connect = localhost:10993

[ssl_in_smtp]
accept  = 587
connect = localhost:10587

Your second instance that creates outgoing connections.

; /etc/stunnel/ssl_out.conf
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; PID is created inside chroot jail
pid = /clt1.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

client=yes
CAfile = clt1.ca
verify = 0


[ssl_out_imap]
accept  = 10993
connect = remote_server:993

[ssl_out_smtp]
accept  = 10587
connect = remote_server:10587

To generate the filename.keys for the server.

# Create a new key and preparte a CSR 
openssl req -new -keyout filename.pem -out filename.csr
# Remove the passphrase from the key
openssl rsa -in filename.pem -out filename.key
# Self sign
openssl x509 -in filename.csr -out filename.cert -req -signkey filename.key -days 720
# combine files to get the keys file stunnel needs.
cat filename.key filename.cert > filename.keys

Your file will look like this.

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDkwzyKrPRXGyvEgITm/7oC9fDU4Y7L9mtMXmcIR98cp0g1ndcz
...
qhP3y97k67EVdSC+92pIGrAL7kBWckpJ2HP1El4KeZg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICHzCCAYgCCQDq/33qh7Dq5TANBgkqhkiG9w0BAQUFADBUMQswCQYDVQQGEwJV
...
ebbhvhYLx1KkhD8/dXEbU0+kNg==
-----END CERTIFICATE-----

Best Answer

Related Solutions

Ssh – Why does logging out of an SSH session hang when using port-forwarding

Stunnel SSL-to-SSL for SMTP/IMAP on Ubuntu – Configuration Guide

Related Topic