[prev in list] [next in list] [prev in thread] [next in thread]
List: mediawiki-l
Subject: Re: [MediaWiki-l] use ssl to access the database
From: Tim Dunphy <bluethundr () gmail ! com>
Date: 2015-07-29 2:54:51
Message-ID: CAOZy0ekDwH4uRp0reXrQK38U6+xAxaEqSssVPSpSUT22K2y=HA () mail ! gmail ! com
[Download RAW message or body]
I'm glad this works but I'd recommend using =true instead of =1 since 1 is
not a boolean, it's an integer.
This may work now but could unexpectedly break in a minor update.
— Krinkle
Cool! Just took your advice. Thanks for the tip!
On Tue, Jul 28, 2015 at 10:42 PM, Krinkle <krinklemail@gmail.com> wrote:
> I'm glad this works but I'd recommend using =true instead of =1 since 1 is
> not a boolean, it's an integer.
>
> This may work now but could unexpectedly break in a minor update.
>
> — Krinkle
>
> > On 26 Jul 2015, at 18:47, Tim Dunphy <bluethundr@gmail.com> wrote:
> >
> > >
> > > wgDBssl is a bool setting
> >
> >
> > Ok, thanks for that info! So this is the what I tried.
> >
> >
> > ## Database settings
> > $wgLBFactoryConf['class'] = 'LBFactorySimple';
> > $wgDBservers = '';
> > $wgDBtype = "mysql";
> > $wgDBserver = "xx.xx.xx";
> > $wgDBssl = 1;
> > $wgDBname = "jfwiki";
> > $wgDBuser = "admin_ssl";
> > $wgDBpassword = "secret";
> >
> > Bingo!! That one put me over the top. The wiki page comes up.
> >
> > Thanks for the help!!
> >
> > All set with SSL connections to the DB. Glad I found out how to do that.
> >
> > Tim
> >
> >
> >
> >
> > On Sun, Jul 26, 2015 at 8:30 PM, John <phoenixoverride@gmail.com> wrote:
> >
> > > wgDBssl is a bool setting
> > >
> > > On Sunday, July 26, 2015, Tim Dunphy <bluethundr@gmail.com> wrote:
> > >
> > > > The database is actually load balanced behind HA/Proxy. I'm testing
> from
> > > > one webserver currently, the other two web servers have been left out
> of
> > > > the pool.
> > > >
> > > > The connection from the command line as well as the wiki site goes:
> > > >
> > > > web server -> lb1 -> db1
> > > >
> > > > I can log into db1 from both the web server as well as the load
> balancer
> > > > using the SSL account.
> > > >
> > > > I altered my connection string in LocalSettings.php so that it looks
> like
> > > > this:
> > > >
> > > > ## Database settings
> > > > $wgLBFactoryConf['class'] = 'LBFactorySimple';
> > > > $wgDBservers = '';
> > > > $wgDBtype = "mysql";
> > > > $wgDBserver = "db.example.com";
> > > > $wgDBssl = "db.example.com";
> > > > $wgDBname = "jfwiki";
> > > > $wgDBuser = "admini_ssl";
> > > > $wgDBpassword = "secret";
> > > >
> > > > But I'm getting the same error that points to the load balancer IP in
> the
> > > > error message:
> > > >
> > > > (Cannot access the database: Access denied for user 'admini_ssl'@'
> > > > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (
> > > > db.example.com))
> > > >
> > > >
> > > > 'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' is the load balancer.
> > > >
> > > > Any ideas on why this is still happening?
> > > >
> > > > Thanks,
> > > > TIm
> > > >
> > > > On Sun, Jul 26, 2015 at 7:27 PM, Tim Dunphy <bluethundr@gmail.com
> > > > <javascript:;>> wrote:
> > > >
> > > > > https://www.mediawiki.org/wiki/Manual:$wgDBssl
> > > > >
> > > > >
> > > > > Very cool! Thank you! I'll check this out!
> > > > >
> > > > > On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <emufarmers@gmail.com
> > > > <javascript:;>>
> > > > > wrote:
> > > > >
> > > > > > https://www.mediawiki.org/wiki/Manual:$wgDBssl
> > > > > >
> > > > > > On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <bluethundr@gmail.com
> > > > <javascript:;>> wrote:
> > > > > > > Hi all,
> > > > > > >
> > > > > > > I just added a remote database to my media wiki setup. I can
> > > access
> > > > > > the
> > > > > > > database from the command line and using that info the wiki site
> > > shows
> > > > > > up
> > > > > > > in a browser and works.
> > > > > > >
> > > > > > > But some of the data is sensitive so I need to add an ssl user to
> > > > > > access
> > > > > > > the database.
> > > > > > >
> > > > > > > If i add an ssl user to the db, I can also access it from the
> > > command
> > > > > > line
> > > > > > > of the web server no problem:
> > > > > > >
> > > > > > > [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW
> > > > > > DATABASES"
> > > > > > > Enter password:
> > > > > > > +--------------------+
> > > > > > > > Database |
> > > > > > > +--------------------+
> > > > > > > > certs |
> > > > > > > > information_schema |
> > > > > > > > jfwiki |
> > > > > > > > mysql |
> > > > > > > > performance_schema |
> > > > > > > +--------------------+
> > > > > > >
> > > > > > > But with the ssl user in place in LocalSettings.php, I'm getting
> > > this
> > > > > > > response from the browser:
> > > > > > >
> > > > > > > Sorry! This site is experiencing technical difficulties.
> > > > > > >
> > > > > > > Try waiting a few minutes and reloading.
> > > > > > >
> > > > > > > *(Cannot access the database: Access denied for user
> > > > > > > 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> > > > > > > <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password:
> > > > > > YES)
> > > > > > > (db.example.com <http://db.example.com>))*
> > > > > > >
> > > > > > > You can try searching via Google in the meantime.
> > > > > > > Note that their indexes of our content may be out of date.
> > > > > > >
> > > > > > > JF Wiki WWW
> > > > > > >
> > > > > > > This is what the grant for the user looks like in the database:
> > > > > > >
> > > > > > > MariaDB [(none)]> show grants for 'admin_ssl'@'
> > > > > > > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
> > > > > > >
> > > > > >
> > > >
> > >
> +----------------------------------------------------------------------------------- \
> -----------------------------------------------------------------------------------+
>
> > > > > > > > Grants for admin_ssl@ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> > > > <javascript:;>
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > >
> > >
> +----------------------------------------------------------------------------------- \
> -----------------------------------------------------------------------------------+
>
> > > > > > > > GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
> > > > > > > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
> > > > > > > '*somePasswordHash' REQUIRE SSL |
> > > > > > >
> > > > > >
> > > >
> > >
> +----------------------------------------------------------------------------------- \
> -----------------------------------------------------------------------------------+
>
> > > > > > > 1 row in set (0.00 sec)
> > > > > > >
> > > > > > > I was just wondering what I'd need to do to make this work!! All
> > > > > > > suggestions welcomed.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Tim
> > > > > > >
> > > > > > > --
> > > > > > > GPG me!!
> > > > > > >
> > > > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > > > > > > _______________________________________________
> > > > > > > MediaWiki-l mailing list
> > > > > > > To unsubscribe, go to:
> > > > > > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > > > > >
> > > > > > _______________________________________________
> > > > > > MediaWiki-l mailing list
> > > > > > To unsubscribe, go to:
> > > > > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > GPG me!!
> > > > >
> > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > GPG me!!
> > > >
> > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > > > _______________________________________________
> > > > MediaWiki-l mailing list
> > > > To unsubscribe, go to:
> > > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > > >
> > > _______________________________________________
> > > MediaWiki-l mailing list
> > > To unsubscribe, go to:
> > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic