3

Google Cloud SQL instances are by default not exposed to the Internet. One of the connection methods supported is Cloud SQL Proxy, which is able to map the Cloud SQL instance to a local port (say, localhost:3306) or a UNIX socket.

It is authenticating with a service account, which is in practise a public/private key pair (be it as a file or attached to a Compute Engine instance via metadata).

My suspicion is that it works similarly to stunnel, the server exposes an SSL service that tunnels the mysql protocol and the client authenticates with a client certificate. Does anyone have more information on how this protocol works?

I would like to understand which connections are made, how are my keys used, which encryption methods are used and, in general, which security principles are protecting my connection.

Can I reuse the same service account credentials to authenticate connections to my own databases (say, Redis)? If so, how?

Thanks!

gimix
  • 283
  • 2
  • 9
  • 2
    Well, it *is* a proxy. It authenticates through the service's API and proxies queries received on the local port through the API to the actual database. Are you asking how it's actually implemented? I don't think that's on-topic here... – GnP Feb 21 '17 at 22:07
  • 2
    I understand it proxies somehow. I would like to understand the underlying protocol details, in the security aspect. Which connections are made, which keys are exchanged, how is my connection encrypted (if it is)? – gimix Feb 22 '17 at 07:42

2 Answers2

4

It uses SSL: https://github.com/GoogleCloudPlatform/cloudsql-proxy/blob/master/proxy/proxy/client.go

It uses Google Cloud SQL APIs for managing SSL (https://cloud.google.com/sql/docs/mysql/configure-ssl-instance, https://github.com/GoogleCloudPlatform/cloudsql-proxy/blob/master/proxy/proxy/dial.go).

Maciek Sawicki
  • 186
  • 5
4

If you nmap the public IP of a cloud SQL instance, it looks like this:

$ nmap -Pn -p 3306,3307,5432 35.197.181.190
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-13 01:11 AEST
Nmap scan report for 190.181.197.35.bc.googleusercontent.com (35.197.181.190)
Host is up (0.020s latency).

PORT     STATE    SERVICE
3306/tcp filtered mysql
3307/tcp open     opsession-prxy
5432/tcp filtered postgresql

Nmap done: 1 IP address (1 host up) scanned in 1.48 seconds

Ports 3306 and 5432 are filtered by the firewall. You can use the Cloud SQL API to temporarily whitelist your IP and then connect using standard database clients.

Port 3307 is always open, and accepts TLS encrypted connections. The TLS connection requires a client certificate that is signed by a certificate authority specific to that cloud SQL instance, and the proxy requests a temporary/ephemeral TLS certificate from the sslCerts part of the Cloud SQL API.

The cloud sql proxy then opens a tunnel to this port that's (usually) presented locally on ports 3306 or 5432 for clients to connect to.

James Healy
  • 141
  • 4