I need to set up a MySQL database instance in a DMZ that is a read-only copy of the live master inside a secure network.
MySQL replication seems ideal for this, except that it works by the slave "pulling" changes from the master. This implies that the slave, in the DMZ, has to be able to open a connection to the master, which the security folk won't allow.
I have played with setting up ssh tunnels from the master, but the slave seems to hold the connection open (even after calling "SLAVE STOP"), meaning the tunnel is always open (somewhat defeating the security restriction).
Is there some way of forcing mysql to drop the connection, short of stopping mysqld?
Is there another way of achieving the same goal I haven't thought of?
Updates from master to slave need to be near-real time (i.e. a couple of minutes latency is acceptable, but not more).
Best Answer
Another idea, a slight variation on what you have described:
The key here is that the tunnel is created and destroyed by the master, updates are run periodically.