I have my MySQL database server on Server 1. I want to have my Rails apps on two other servers - say A and B to be able to connect to this Server 1. What's the best way to do this?
我在服务器1上安装了我的MySQL数据库服务器。我希望在其他两台服务器上安装我的Rails应用程序 - 比如说A和B能够连接到这台服务器1.最好的方法是什么?
In the my.cnf file it appears I can use the bind-address to bind to one and only one IP address. I can't specify the IP addresses of both A and B in my.cnf.
在my.cnf文件中,似乎我可以使用bind-address绑定到一个且只有一个IP地址。我无法在my.cnf中指定A和B的IP地址。
On the other hand, if I comment skip-networking, the gates are wide open.
另一方面,如果我评论跳过网络,那么大门是敞开的。
Is there a golden mean? What are you folks doing to allow a DB server to listen to requests from multiple app servers and still stay secure?
有中庸之道吗?你们有什么方法可以让数据库服务器收听来自多个应用服务器的请求并保持安全?
5 个解决方案
#1
If MySQL is running on Linux:
如果MySQL在Linux上运行:
I am very biased towards using iptables (a.k.a. netfilter, the Linux firewall) to control incoming traffic to various ports. It's simple to use and very robust.
我非常偏向于使用iptables(a.k.a. netfilter,Linux防火墙)来控制到各个端口的传入流量。它使用简单,非常强大。
iptables -A INPUT -p tcp -s server1address/32 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s server2address/32 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
#2
The bind address is the local IP address of the server, not the allowable client addresses. In your situation, you can provide the static address of your server (in place of localhost) or, if your IP might change, just comment it out.
绑定地址是服务器的本地IP地址,而不是允许的客户端地址。在您的情况下,您可以提供服务器的静态地址(代替localhost),或者,如果您的IP可能会更改,只需将其注释掉即可。
Again, to clarify: the bind-address is the address on which the server listens for client connections (you could have multiple NICs, or multiple IP addresses, etc.). It is also possible to change the port you want mysql to listen to.
再次,澄清一下:bind-address是服务器侦听客户端连接的地址(您可以拥有多个NIC,或多个IP地址等)。也可以更改想要mysql监听的端口。
You will want to make sure you configure the root password if you haven't already:
如果您还没有,请确保配置root密码:
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourpassword');
You would then use other means to restrict access to MySql to something like the local network (i.e. your firewall).
然后,您将使用其他方法将对MySql的访问限制为类似本地网络(即您的防火墙)。
#3
More info about iptables:
有关更多信息iptables:
The iptables commands above must either be inserted in the existing iptables tables, or else you must delete the existing stuff and start from scratch with the commands above.
上面的iptables命令必须插入到现有的iptables表中,否则你必须删除现有的东西并从头开始使用上面的命令。
Insertion is not hard, but it depends a little bit on the Linux distribution you use, so I'm not sure what to recommend.
插入并不难,但它取决于你使用的Linux发行版,所以我不确定推荐什么。
To start from scratch, you need to Flush and eXpunge the existing tables first:
要从头开始,您需要首先刷新并eXpunge现有表:
iptables -F
iptables -X
Then insert the iptables firewall rules that you need to use, following the model indicated in my previous answer.
然后按照我之前的答案中指示的模型插入您需要使用的iptables防火墙规则。
Then save the iptables rules. This is again distribution-dependent. On most Red Hat derivatives (Red Hat, Fedora, CentOS), it's enough to run:
然后保存iptables规则。这又是依赖于分布的。在大多数Red Hat衍生产品(Red Hat,Fedora,CentOS)上,它足以运行:
service iptables save
Voila, your custom rules are saved. If the iptables service is enabled (check with "chkconfig --list iptables", it must be ":on" on runlevels 3 and 5, depending on your situation, but it's safe to set it ":on" on both 3 and 5 in any case) then your rules will survive the reboot.
瞧,您的自定义规则已保存。如果启用了iptables服务(请查看“chkconfig --list iptables”,在运行级别3和5上必须为“:on”,具体取决于您的情况,但在3和5上将其设置为“:on”是安全的在任何情况下)然后你的规则将在重启后继续存在。
At any time, you can check the current running iptables rules. Here's a few commands that do that, with various levels of verbosity:
您可以随时查看当前运行的iptables规则。这是一些执行此操作的命令,具有各种级别的详细程度:
iptables -L
iptables -L -n
iptables -L -n -v
Without -n, it will try to lookup the domain names and display them instead of IP addresses - this may not be desirable if DNS is not working 100% perfect. So that's why I almost always use -n.
如果没有-n,它将尝试查找域名并显示它们而不是IP地址 - 如果DNS不能100%完美地工作,这可能是不可取的。所以这就是我几乎总是使用-n的原因。
-v means "verbose", a bit harder to read but it gives more information.
-v表示“详细”,有点难以阅读,但它提供了更多信息。
NOTE: If you start from scratch, other services running on that machine may not be protected by iptables anymore. Spend some time and figure out how to insert the MySQL rules in the existing tables. It's better for your system's security.
注意:如果从头开始,则该计算机上运行的其他服务可能不再受iptables保护。花一些时间,弄清楚如何在现有表中插入MySQL规则。它对您的系统安全性更好。
#4
In addition to getting the bind address right you'll need to open the correct port, create or configure the users and some other details. This explains it pretty clearly.
除了正确获取绑定地址之外,您还需要打开正确的端口,创建或配置用户以及其他一些细节。这很清楚地解释了它。
#5
A DB server will listen to an indefinite number of clients.
数据库服务器将侦听无限数量的客户端。
Each client Rails app identifies the DB server.
每个客户端Rails应用程序标识数据库服务器。
The DB server waits patiently for connections. It has no idea how many clients there are or where the connections come from.
DB服务器耐心等待连接。它不知道有多少客户端或连接来自何处。
Edit
"how do you securely configure the DB wrt what servers to accept requests from?"
“你如何安全地配置数据库以及哪些服务器接受来自哪些服务器?”
That's what networks, firewalls and routers are for.
这就是网络,防火墙和路由器的用途。
That's why the database requires credentials from the Rail apps.
这就是数据库需要来自Rail应用程序的凭据的原因。
#1
If MySQL is running on Linux:
如果MySQL在Linux上运行:
I am very biased towards using iptables (a.k.a. netfilter, the Linux firewall) to control incoming traffic to various ports. It's simple to use and very robust.
我非常偏向于使用iptables(a.k.a. netfilter,Linux防火墙)来控制到各个端口的传入流量。它使用简单,非常强大。
iptables -A INPUT -p tcp -s server1address/32 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s server2address/32 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
#2
The bind address is the local IP address of the server, not the allowable client addresses. In your situation, you can provide the static address of your server (in place of localhost) or, if your IP might change, just comment it out.
绑定地址是服务器的本地IP地址,而不是允许的客户端地址。在您的情况下,您可以提供服务器的静态地址(代替localhost),或者,如果您的IP可能会更改,只需将其注释掉即可。
Again, to clarify: the bind-address is the address on which the server listens for client connections (you could have multiple NICs, or multiple IP addresses, etc.). It is also possible to change the port you want mysql to listen to.
再次,澄清一下:bind-address是服务器侦听客户端连接的地址(您可以拥有多个NIC,或多个IP地址等)。也可以更改想要mysql监听的端口。
You will want to make sure you configure the root password if you haven't already:
如果您还没有,请确保配置root密码:
mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourpassword');
You would then use other means to restrict access to MySql to something like the local network (i.e. your firewall).
然后,您将使用其他方法将对MySql的访问限制为类似本地网络(即您的防火墙)。
#3
More info about iptables:
有关更多信息iptables:
The iptables commands above must either be inserted in the existing iptables tables, or else you must delete the existing stuff and start from scratch with the commands above.
上面的iptables命令必须插入到现有的iptables表中,否则你必须删除现有的东西并从头开始使用上面的命令。
Insertion is not hard, but it depends a little bit on the Linux distribution you use, so I'm not sure what to recommend.
插入并不难,但它取决于你使用的Linux发行版,所以我不确定推荐什么。
To start from scratch, you need to Flush and eXpunge the existing tables first:
要从头开始,您需要首先刷新并eXpunge现有表:
iptables -F
iptables -X
Then insert the iptables firewall rules that you need to use, following the model indicated in my previous answer.
然后按照我之前的答案中指示的模型插入您需要使用的iptables防火墙规则。
Then save the iptables rules. This is again distribution-dependent. On most Red Hat derivatives (Red Hat, Fedora, CentOS), it's enough to run:
然后保存iptables规则。这又是依赖于分布的。在大多数Red Hat衍生产品(Red Hat,Fedora,CentOS)上,它足以运行:
service iptables save
Voila, your custom rules are saved. If the iptables service is enabled (check with "chkconfig --list iptables", it must be ":on" on runlevels 3 and 5, depending on your situation, but it's safe to set it ":on" on both 3 and 5 in any case) then your rules will survive the reboot.
瞧,您的自定义规则已保存。如果启用了iptables服务(请查看“chkconfig --list iptables”,在运行级别3和5上必须为“:on”,具体取决于您的情况,但在3和5上将其设置为“:on”是安全的在任何情况下)然后你的规则将在重启后继续存在。
At any time, you can check the current running iptables rules. Here's a few commands that do that, with various levels of verbosity:
您可以随时查看当前运行的iptables规则。这是一些执行此操作的命令,具有各种级别的详细程度:
iptables -L
iptables -L -n
iptables -L -n -v
Without -n, it will try to lookup the domain names and display them instead of IP addresses - this may not be desirable if DNS is not working 100% perfect. So that's why I almost always use -n.
如果没有-n,它将尝试查找域名并显示它们而不是IP地址 - 如果DNS不能100%完美地工作,这可能是不可取的。所以这就是我几乎总是使用-n的原因。
-v means "verbose", a bit harder to read but it gives more information.
-v表示“详细”,有点难以阅读,但它提供了更多信息。
NOTE: If you start from scratch, other services running on that machine may not be protected by iptables anymore. Spend some time and figure out how to insert the MySQL rules in the existing tables. It's better for your system's security.
注意:如果从头开始,则该计算机上运行的其他服务可能不再受iptables保护。花一些时间,弄清楚如何在现有表中插入MySQL规则。它对您的系统安全性更好。
#4
In addition to getting the bind address right you'll need to open the correct port, create or configure the users and some other details. This explains it pretty clearly.
除了正确获取绑定地址之外,您还需要打开正确的端口,创建或配置用户以及其他一些细节。这很清楚地解释了它。
#5
A DB server will listen to an indefinite number of clients.
数据库服务器将侦听无限数量的客户端。
Each client Rails app identifies the DB server.
每个客户端Rails应用程序标识数据库服务器。
The DB server waits patiently for connections. It has no idea how many clients there are or where the connections come from.
DB服务器耐心等待连接。它不知道有多少客户端或连接来自何处。
Edit
"how do you securely configure the DB wrt what servers to accept requests from?"
“你如何安全地配置数据库以及哪些服务器接受来自哪些服务器?”
That's what networks, firewalls and routers are for.
这就是网络,防火墙和路由器的用途。
That's why the database requires credentials from the Rail apps.
这就是数据库需要来自Rail应用程序的凭据的原因。