16

We have a PHP application which connects to a MySQL server, and we wish to secure connections between the web & application servers and the database.

At peak times, the web servers make many hundreds of concurrent connections to the database, and perform lots of small reads and writes. I'm aware this isn't optimal, and am working on reducing the number of database connections in parallel to this.

We don't have persistent connections to the database turned on currently, and although we intend to in the future I would like to implement this independently of that.

Hardware wise - the MySQL server is quite chunky (16 core) as are the web servers. They're dedicated servers.

My question then surrounds the most performant way of securing & encrypting the connections to the database server.

My research so far has suggested that the main performance overhead is with setting up the SSL connection - once SSL is connected there is little performance penalty. And here's what I have about each method of securing the connection:

  1. MySQL SSL Certificates - works just like normal SSL. Can use client certificates to prevent unauthorised connections. No persistent connections with our existing setup. Still have to have MySQL listening on an open port on the firewall.
  2. stunnel. Set up a port to port ssl tunnel. Do not have to reconfigure MySQL. Can close the normal MySQL listening port to prevent malicious MySQL connection attempts. Does not support persistent connections. Unknown performance hit.
  3. SSH Tunneling. Create an SSH tunnel between the client and the server. Do not have to reconfigure MySQL. Can close the normal MySQL listening port to prevent malicious MySQL connection attempts. Supports persistent connections, but these sometimes drop out. Unknown performance hit.

This is as far as I've been able to get. I'm aware of the limitations of benchmarks - in my experience of running them it's very difficult to simulate real world traffic. I was hoping that someone had some advice based on their own experiences of securing MySQL?

Thanks

dastra
  • 195
  • 1
  • 5
  • What kind of server/network architecture do you have? What kind of a scenario are you trying to prevent? If all your server-to-server communication is on a separate switch/VLAN, then you might not need anti-sniffing protection. As for performance, run `openssl speed` and pick ciphers that fit your needs for protection vs performance compromise. – Marcin Apr 22 '11 at 14:28
  • @Marcin - thanks for the openssl speed tip. The scenarios I'm trying to prevent are unauthorised connections to mysql and to encrypt communication between the servers. Any further help you can give comparing the three approaches would be gratefully received. – dastra Apr 22 '11 at 14:54
  • 1
    to 3) use **autossh** to reduce dropout effect. It will reconnect automatically in case of a disconnect. Works well here in a lot of situations. – moestly Apr 29 '11 at 15:58

2 Answers2

6

I would go with the ssh-tunnel and do it with autossh instead of ssh. About the performance I would say, that the SSH protocol is highly customizable and you could fine tune your connection, if needed.

But I would not expect a noticeable overhead after the connection is set up.

moestly
  • 1,138
  • 8
  • 10
3

By looking at the benchmarks of this article (MySQL Performance Blog), you should really avoid MySQL’s native SSL capability.

Nicolas BADIA
  • 356
  • 1
  • 6
  • 15