0

I'm trying to determine the best, modern practice for using your own separate database server for a web-app. I have an app server, appserver1, (running php, nginx, etc, not that that matters much), and a db server; dbserver1 (running postgresql, which probably doesn't matter).

I want to use the command line psql command and app database connections from appserver1 that connect to the database on dbserver1. Both are on the same internal network at rackspace, so the connection is fast. However, I don't want to trust that connection if it's standard protocol not to, so if it's necessary to secure that connection further, how can I best secure that connection?

Securing the Connection

I have heard of ssh tunnelling, though I haven't used it before. It seems pretty simple, overall. Should I set up an ssh tunnel from appserver1 that points at dbserver1 and then I'll be able to connect as if it were all localhost? Or else what should my approach be?

Edit: Can I just set the server to only listen to localhost and the ip of the web servers, or is that not a maintainable solution, long term?

Kzqai
  • 1,278
  • 4
  • 17
  • 32
  • Why do you need a tunnel? Can't you just connect directly? – Michael Hampton Jan 30 '15 at 18:25
  • Agreed. Why wouldn't you just connect directly from the app/web server to the database server? – joeqwerty Jan 30 '15 at 18:34
  • 1
    To expand on @MichaelHampton's comment, if both servers are on the same network, and that network is trusted, there's no reason why you can't just connect directly. Now, if you are connecting across an un-trusted network, then it is very much worth putting some effort into securing your database traffic. In that case, look into IPsec, which is a much better long-term solution than SSH tunneling for this use case. – EEAA Jan 30 '15 at 18:34
  • Ah, right, I'm using rackspace, and I'm connecting via a rackspace internal network IP, but since rackspace is, like, a cloud-server provider with some million users or servers or whatever, I'm not sure that it's best practice to trust even such an internal connection. – Kzqai Jan 30 '15 at 19:01

1 Answers1

2

Both are on the same internal network at rackspace, so the connection is fast.

I don't have any experience with Rackspace, but I would confirm if the "internal network" is one set up particularly for local communication between your boxes and nobody else. If it is an internal network that any of their customers could be on (and probably is), you should probably consider configuring iptables to only allow connections from trusted IPs or some type of VPN solution between the boxes and firewall your services from all other external connections, even if they come from the Rackspace network.

EDIT: You may be okay to use the Rackspace internal network if you are comfortable with setting up iptables to only allow connections from IP addresses you trust (e.g., your other servers) while rejecting everyone else. It would probably be more elegant than the VPN solution, but it may be trickier to configure if you aren't used to managing your firewall rules.

Vile Brigandier
  • 418
  • 3
  • 8
  • Yes, exactly so, it's an "internal network" for rackspace servers, which means god knows who could be on there! Damn, I have to set up a VPN just to securely connect to my database on a separate server? *sighs* I've never messed with a VPN before. – Kzqai Jan 30 '15 at 19:05
  • Is setting the `dbserver1` postgresql.conf to listen only to the ips of `appserver1` (and any future additional app servers) not enough? – Kzqai Jan 30 '15 at 19:08
  • Not sure about the particular postgresql settings, but usually the listening IP is what interface you'd like to listen on (i.e., if your server has more than one network card, or if you only want to listen on localhost). I am also editing my original response now. – Vile Brigandier Jan 30 '15 at 19:13
  • Ah, yes! So I can just use username & password authentication with a ufw firewall set to reject all connections not validly made from one of my two web servers. This sounds like the easiest to deal with, as ufw makes firewall administration easy for me. Thanks. – Kzqai Jan 30 '15 at 19:23
  • Sounds good, just make sure you test that connections are being rejected if they come from some place else. Telnet or nmap should be able to help with that. Good luck. – Vile Brigandier Jan 30 '15 at 19:27