I'm running CentOS 7 on all the servers mentioned below.
I'm testing on a local development environment for setting up separate database and web server.
These servers are two VirtualBox instances connected via Bridged Mode in the local area network so that can see each other without problem.
I want to be able for the WEB server to connect to MySQL on DB server using IP restriction from the WEB server only.
I've read through some discussion threads but none of them help resolve my problem, as many of them are firewall
or selinux
related.
I've disabled both firewalld
and selinux
so that these are not the factors at the moment.
DB server IP: 192.168.1.167
WEB server IP: 192.168.1.168
I'm using the following script for test, http://192.168.1.168/connect.php
<?php
$servername = "192.168.1.167";
$username = "demouser";
$password = "password";
// Create connection
$conn = mysqli_connect($servername, $username, $password);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>
I'm getting Connection failed: Permission denied
error when performing:
-
wget http://192.168.1.168/connect.php
on the 192.168.1.168 terminal console -
http://192.168.1.168/connect.php
in my browser windows is also giving me the same error.
(1) However, I am able to successfully connect via command line using mysql -u demouser -p -h 192.168.1.167
from 192.168.1.168 (WEB server)
(2) I also get Connected successfully
when directly executing php connect.php
in the terminal console of 192.168.1.168 (WEB server)
I can only confirm that remote MySQL connection via SSH is working, and via PHP MySQL module is working.
Here's the access privilege on 192.168.1.167 (DB server)
+---------------------------------------------------------------------------------------------------------------+
| Grants for demouser@localhost |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'demouser'@'localhost' IDENTIFIED BY PASSWORD '*DB17DD535D122AED147A61C30CD5D01FB3BC5433' |
| GRANT ALL PRIVILEGES ON `demodb`.* TO 'demouser'@'localhost' |
+---------------------------------------------------------------------------------------------------------------+
+-------------------------------------------------------------------------------------------------------------------+
| Grants for demouser@192.168.1.168 |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'demouser'@'192.168.1.168' IDENTIFIED BY PASSWORD '*DB17DD535D122AED147A61C30CD5D01FB3BC5433' |
| GRANT ALL PRIVILEGES ON `demodb`.* TO 'demouser'@'192.168.1.168' |
+-------------------------------------------------------------------------------------------------------------------+
netstat
on 192.168.1.167 is showing:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2892/mysqld
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1704/master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1053/sshd
How can I allow remote MySQL connection via HTTP/PHP, yet only for requests initiating from the aforementioned WEB server?
Best Answer
I was able to identify that
SELinux
was the cause of connection failure.As mentioned in the original thread, I disabled the
SELinux
and Firewall on the DB server, which I believed was blocking the remote connection from the WEB server.What is causing the connection issue was
SELinux
on the WEB server.I temporarily disabled it using
setenforce 0
to set it intopermissive
mode.Everything works.
I re-enabled
SELinux
and Firewall on the DB server. I can still make remote database connection via the PHP script on the WEB server.I can now confirm that the issue was on the WEB server initiating the connection.
I re-enabled
SELinux
on the WEB server and use the following command to set the boolean forSELinux
on the WEB server.setsebool -P httpd_can_network_connect_db 1
Currently I'm having
SELinux
active on both WEB & DB servers inenforcing
mode, and the remote MySQL connection can still go through successfully.What I've read on other discussion threads I didn't follow was: which server to configure the
SELinux
booleans.Hope this thread can help anyone who is experiencing the same problem as I do to save some time.