ansaurus

Question

What's the best way to allow MySQL on one server to listen to requests from two other different servers?

Answer 1

+2 A:

The bind address is the local IP address of the server, not the allowable client addresses. In your situation, you can provide the static address of your server (in place of localhost) or, if your IP might change, just comment it out.

Again, to clarify: the bind-address is the address on which the server listens for client connections (you could have multiple NICs, or multiple IP addresses, etc.). It is also possible to change the port you want mysql to listen to.

You will want to make sure you configure the root password if you haven't already:

mysql> SET PASSWORD FOR 'root'@'localhost' = PASSWORD('yourpassword');

You would then use other means to restrict access to MySql to something like the local network (i.e. your firewall).

Michael Haren 2009-01-04 01:38:11

Michael - thank you for the clarification about what bind-address does. I do have a root password set and I'll try and do what Florin below has suggested. Thank you again.

2009-01-04 04:17:59

Answer 2

A:

A DB server will listen to an indefinite number of clients.

Each client Rails app identifies the DB server.

The DB server waits patiently for connections. It has no idea how many clients there are or where the connections come from.

Edit

"how do you securely configure the DB wrt what servers to accept requests from?"

That's what networks, firewalls and routers are for.

That's why the database requires credentials from the Rail apps.

S.Lott 2009-01-04 01:40:48

Ok, but how do you securely configure the DB wrt what servers to accept requests from? That's the heart of my question. Your comment while correct doesn't address that.

2009-01-04 02:00:27

If this is the heart of your question, please update your question to emphasize this point.

S.Lott 2009-01-04 02:07:08

Answer 3

A:

In addition to getting the bind address right you'll need to open the correct port, create or configure the users and some other details. This explains it pretty clearly.

Jim Blizard 2009-01-04 01:43:16

Thanks Jim, I've bookmarked that article

2009-01-04 04:18:46

Answer 4

+1 A:

If MySQL is running on Linux:

I am very biased towards using iptables (a.k.a. netfilter, the Linux firewall) to control incoming traffic to various ports. It's simple to use and very robust.

iptables -A INPUT -p tcp -s server1address/32 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp -s server2address/32 --dport 3306 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

Florin Andrei 2009-01-04 03:28:22

Thank you Florin.Yes, MySQL is on Linux. Thanks for showing me the iptables rules. I am curious as to what the /32 part of the command does.

2009-01-04 04:10:16

/32 probably allows anything in the server's D block to access your system. That is, given an IP in the form a.b.c.d, what server1address/32 means is that anyone with the same a.b.c address of the server but a different 'd' number can connect.

Michael Haren 2009-01-04 22:18:51

Thanks for the comment Michael. Now I know *not* to have the /32 in my specific case.

2009-01-04 22:52:30

No, /32 means "this address only", or "no IP interval, just one address".So it's probably correct in your case.

Florin Andrei 2009-01-04 23:23:50

Or you can forget about /32 and it will be implied - not specifying the netmask implies a /32 netmask. So just use the IP address alone and forget the redundant part. Duh, sorry, I'm slowing down after the vacation. :-)

Florin Andrei 2009-01-04 23:41:56

Answer 5

A:

More info about iptables:

The iptables commands above must either be inserted in the existing iptables tables, or else you must delete the existing stuff and start from scratch with the commands above.

Insertion is not hard, but it depends a little bit on the Linux distribution you use, so I'm not sure what to recommend.

To start from scratch, you need to Flush and eXpunge the existing tables first:

iptables -F
iptables -X

Then insert the iptables firewall rules that you need to use, following the model indicated in my previous answer.

Then save the iptables rules. This is again distribution-dependent. On most Red Hat derivatives (Red Hat, Fedora, CentOS), it's enough to run:

service iptables save

Voila, your custom rules are saved. If the iptables service is enabled (check with "chkconfig --list iptables", it must be ":on" on runlevels 3 and 5, depending on your situation, but it's safe to set it ":on" on both 3 and 5 in any case) then your rules will survive the reboot.

At any time, you can check the current running iptables rules. Here's a few commands that do that, with various levels of verbosity:

iptables -L
iptables -L -n
iptables -L -n -v

Without -n, it will try to lookup the domain names and display them instead of IP addresses - this may not be desirable if DNS is not working 100% perfect. So that's why I almost always use -n.

-v means "verbose", a bit harder to read but it gives more information.

NOTE: If you start from scratch, other services running on that machine may not be protected by iptables anymore. Spend some time and figure out how to insert the MySQL rules in the existing tables. It's better for your system's security.

Florin Andrei 2009-01-04 23:37:21

ansaurus

tags:

views:

answers:

What's the best way to allow MySQL on one server to listen to requests from two other different servers?

related questions