0

I currently have a web application and database on the same server. I am moving the database to a new server that is spec'd for being a database. Now i have nightly scripts that run on the web application that insert and update data for the application from our ERP system. Should the scripts that do this import run from the database server or from the application server? It makes sense to me to keep all of the application logic together but from a performance point of view it makes more sense (i think) to have the scripts that update the database nightly to be run from the actual database server.

May or may not be needed for question but i have a website, and 3 web applications that are all being converted from local database installations to the new central database.

Last question should the database server be in the DMZ but locked down to only accept connections for the application serve IP's or should it be behind the firewall?

Additional info if helpful: Python applications (TG and Flask) all running off of postgresql 9

Edit: If this is the wrong place for this please let me know where it should be posted. I originally had it at programmers but didn't get any responses and after re-reading the my questions this site just felt "better".

Ominus
  • 105
  • 4

1 Answers1

1

Assuming low latency between the application server and the database server, performance will be largely the same regardless which side you run the scripts on.

I vote for what is easiest to maintain. Two reasons to keep the scripts on your application server:

1) Less change to your existing way of doing things

2) All your code (including these scripts) is in one place. This may have advantages in version control/deployment.

And for the firewall/DMZ: The least amount of trust between the database and the applicatoin, the better. If you can put your database server behind the firewall and only allow the PostgreSQL ports (5432/tcp by default) only from your app server in the DMZ, then a compromised application account would then have to get through the PostgreSQL port to further penetrate or trash your data.

You could then further limit the application at the database level with:

1) Minimal application database permissions (select-only where appropriate, ...)

2) Updatable views (a technique that can provide more limited data updates)

3) On-update triggers (another technique that can limited updates)

Security in layers :)

Dan Armstrong
  • 821
  • 4
  • 6
  • gigabit ethernet between the servers. The database server will have one nic specifically for updating(nightly imports and updates that is) and the other for normal operations. What you layout is kind of where my head was at. Will mark accepted answer after i see some others come in. – Ominus Jan 28 '15 at 20:07
  • I edited the above post to address the database behind the firewall. Security in layers :) – Dan Armstrong Jan 28 '15 at 20:09