I’ve got a project which requires to save some of it’s data to a mysql db. The client made it mandatory to use a SSL tunnel with certificates for the database connection. I’ve came across this feature request here but there’ haven’t been any updates since. I was wondering if that has already been build into the core as I can’t find anything in the docs.
If it hasn’t been added yet what would be the best approach to get this working with the helpful
Db class? Thanks in advance for any hints!
Could you give more details about your requested architecture?
As far I know the use of a SSL tunnel is to make the database server only listen to localhost despite the application server (Kirby) is on a different machine. Since normally a request of the application server could not reach the database in this scenario, a SSL tunnel is established which forwards requests of the application server to the database server, where they appear as if they come from the localhost. Since the connection between the application server and the database server is already secured by SSL, there should be no need to run the database with SSL.
@Adspectus Thanks for your reply.
Like you probably guessed the setup I have is:
- a webserver
- a remote database
In this case the webserver connects to the database from a remote location. One option would be to configure the database server to allow remote connections but I do find that a little unsecure considering that it only exists of user/password.
Using an SSH tunnel links a local port on the webserver to a port on a remote host. Once linked, anything communicated to the local port is passed through SSH to the remote port. The benefit I see by using an SSH tunnel is that the everything between the webserver and the remote database is encrypted by SSH and I can make use of key authentication. I also find a database cannot reliably maintain the security and patching levels like SSH.