[MediaWiki-l] use ssl to access the database

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[MediaWiki-l] use ssl to access the database

Tim Dunphy-2
Hi all,

  I just added a remote database to my media wiki setup. I can access the
database from the command line and using that info the wiki site shows up
in a browser and works.

  But some of the data is sensitive so I need to add an ssl user to access
the database.

 If i add an ssl user to the db, I can also access it from the command line
of the web server no problem:

[root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW DATABASES"
Enter password:
+--------------------+
| Database           |
+--------------------+
| certs              |
| information_schema |
| jfwiki             |
| mysql              |
| performance_schema |
+--------------------+

But with the ssl user in place in LocalSettings.php, I'm getting this
response from the browser:

Sorry! This site is experiencing technical difficulties.

Try waiting a few minutes and reloading.

*(Cannot access the database: Access denied for user
'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
<http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password: YES)
(db.example.com <http://db.example.com>))*

You can try searching via Google in the meantime.
Note that their indexes of our content may be out of date.

JF Wiki  WWW

This is what the grant for the user looks like in the database:

MariaDB [(none)]> show grants for  'admin_ssl'@'
ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for [hidden email]

               |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
'*somePasswordHash' REQUIRE SSL |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

I was just wondering what I'd need to do to make this work!! All
suggestions welcomed.

Thanks,
Tim

--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

Benjamin Lees
https://www.mediawiki.org/wiki/Manual:$wgDBssl

On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]> wrote:

> Hi all,
>
>   I just added a remote database to my media wiki setup. I can access the
> database from the command line and using that info the wiki site shows up
> in a browser and works.
>
>   But some of the data is sensitive so I need to add an ssl user to access
> the database.
>
>  If i add an ssl user to the db, I can also access it from the command line
> of the web server no problem:
>
> [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW DATABASES"
> Enter password:
> +--------------------+
> | Database           |
> +--------------------+
> | certs              |
> | information_schema |
> | jfwiki             |
> | mysql              |
> | performance_schema |
> +--------------------+
>
> But with the ssl user in place in LocalSettings.php, I'm getting this
> response from the browser:
>
> Sorry! This site is experiencing technical difficulties.
>
> Try waiting a few minutes and reloading.
>
> *(Cannot access the database: Access denied for user
> 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password: YES)
> (db.example.com <http://db.example.com>))*
>
> You can try searching via Google in the meantime.
> Note that their indexes of our content may be out of date.
>
> JF Wiki  WWW
>
> This is what the grant for the user looks like in the database:
>
> MariaDB [(none)]> show grants for  'admin_ssl'@'
> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | Grants for [hidden email]
>
>                |
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
> '*somePasswordHash' REQUIRE SSL |
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> 1 row in set (0.00 sec)
>
> I was just wondering what I'd need to do to make this work!! All
> suggestions welcomed.
>
> Thanks,
> Tim
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

Tim Dunphy-2
https://www.mediawiki.org/wiki/Manual:$wgDBssl


Very cool! Thank you! I'll check this out!

On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <[hidden email]> wrote:

> https://www.mediawiki.org/wiki/Manual:$wgDBssl
>
> On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]> wrote:
> > Hi all,
> >
> >   I just added a remote database to my media wiki setup. I can access the
> > database from the command line and using that info the wiki site shows up
> > in a browser and works.
> >
> >   But some of the data is sensitive so I need to add an ssl user to
> access
> > the database.
> >
> >  If i add an ssl user to the db, I can also access it from the command
> line
> > of the web server no problem:
> >
> > [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW DATABASES"
> > Enter password:
> > +--------------------+
> > | Database           |
> > +--------------------+
> > | certs              |
> > | information_schema |
> > | jfwiki             |
> > | mysql              |
> > | performance_schema |
> > +--------------------+
> >
> > But with the ssl user in place in LocalSettings.php, I'm getting this
> > response from the browser:
> >
> > Sorry! This site is experiencing technical difficulties.
> >
> > Try waiting a few minutes and reloading.
> >
> > *(Cannot access the database: Access denied for user
> > 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> > <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password: YES)
> > (db.example.com <http://db.example.com>))*
> >
> > You can try searching via Google in the meantime.
> > Note that their indexes of our content may be out of date.
> >
> > JF Wiki  WWW
> >
> > This is what the grant for the user looks like in the database:
> >
> > MariaDB [(none)]> show grants for  'admin_ssl'@'
> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
> >
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> > | Grants for [hidden email]
> >
> >                |
> >
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> > | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
> > '*somePasswordHash' REQUIRE SSL |
> >
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> > 1 row in set (0.00 sec)
> >
> > I was just wondering what I'd need to do to make this work!! All
> > suggestions welcomed.
> >
> > Thanks,
> > Tim
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>



--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

Tim Dunphy-2
The database is actually load balanced behind HA/Proxy. I'm testing from
one webserver currently, the other two web servers have been left out of
the pool.

The connection from the command line as well as the wiki site goes:

web server -> lb1 -> db1

I can log into db1 from both  the web server as well as the load balancer
using the SSL account.

I altered my connection string in LocalSettings.php so that it looks like
this:

## Database settings
$wgLBFactoryConf['class'] = 'LBFactorySimple';
$wgDBservers = '';
$wgDBtype = "mysql";
$wgDBserver = "db.example.com";
$wgDBssl    =  "db.example.com";
$wgDBname = "jfwiki";
$wgDBuser = "admini_ssl";
$wgDBpassword = "secret";

But I'm getting the same error that points to the load balancer IP in the
error message:

(Cannot access the database: Access denied for user 'admini_ssl'@'
ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (
db.example.com))


'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' is the load balancer.

Any ideas on why this is still happening?

Thanks,
TIm

On Sun, Jul 26, 2015 at 7:27 PM, Tim Dunphy <[hidden email]> wrote:

> https://www.mediawiki.org/wiki/Manual:$wgDBssl
>
>
> Very cool! Thank you! I'll check this out!
>
> On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <[hidden email]>
> wrote:
>
>> https://www.mediawiki.org/wiki/Manual:$wgDBssl
>>
>> On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]> wrote:
>> > Hi all,
>> >
>> >   I just added a remote database to my media wiki setup. I can access
>> the
>> > database from the command line and using that info the wiki site shows
>> up
>> > in a browser and works.
>> >
>> >   But some of the data is sensitive so I need to add an ssl user to
>> access
>> > the database.
>> >
>> >  If i add an ssl user to the db, I can also access it from the command
>> line
>> > of the web server no problem:
>> >
>> > [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW
>> DATABASES"
>> > Enter password:
>> > +--------------------+
>> > | Database           |
>> > +--------------------+
>> > | certs              |
>> > | information_schema |
>> > | jfwiki             |
>> > | mysql              |
>> > | performance_schema |
>> > +--------------------+
>> >
>> > But with the ssl user in place in LocalSettings.php, I'm getting this
>> > response from the browser:
>> >
>> > Sorry! This site is experiencing technical difficulties.
>> >
>> > Try waiting a few minutes and reloading.
>> >
>> > *(Cannot access the database: Access denied for user
>> > 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
>> > <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password:
>> YES)
>> > (db.example.com <http://db.example.com>))*
>> >
>> > You can try searching via Google in the meantime.
>> > Note that their indexes of our content may be out of date.
>> >
>> > JF Wiki  WWW
>> >
>> > This is what the grant for the user looks like in the database:
>> >
>> > MariaDB [(none)]> show grants for  'admin_ssl'@'
>> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
>> >
>> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>> > | Grants for [hidden email]
>> >
>> >                |
>> >
>> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>> > | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
>> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
>> > '*somePasswordHash' REQUIRE SSL |
>> >
>> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>> > 1 row in set (0.00 sec)
>> >
>> > I was just wondering what I'd need to do to make this work!! All
>> > suggestions welcomed.
>> >
>> > Thanks,
>> > Tim
>> >
>> > --
>> > GPG me!!
>> >
>> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> > _______________________________________________
>> > MediaWiki-l mailing list
>> > To unsubscribe, go to:
>> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>


--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

John Doe-27
wgDBssl is a bool setting

On Sunday, July 26, 2015, Tim Dunphy <[hidden email]> wrote:

> The database is actually load balanced behind HA/Proxy. I'm testing from
> one webserver currently, the other two web servers have been left out of
> the pool.
>
> The connection from the command line as well as the wiki site goes:
>
> web server -> lb1 -> db1
>
> I can log into db1 from both  the web server as well as the load balancer
> using the SSL account.
>
> I altered my connection string in LocalSettings.php so that it looks like
> this:
>
> ## Database settings
> $wgLBFactoryConf['class'] = 'LBFactorySimple';
> $wgDBservers = '';
> $wgDBtype = "mysql";
> $wgDBserver = "db.example.com";
> $wgDBssl    =  "db.example.com";
> $wgDBname = "jfwiki";
> $wgDBuser = "admini_ssl";
> $wgDBpassword = "secret";
>
> But I'm getting the same error that points to the load balancer IP in the
> error message:
>
> (Cannot access the database: Access denied for user 'admini_ssl'@'
> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (
> db.example.com))
>
>
> 'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' is the load balancer.
>
> Any ideas on why this is still happening?
>
> Thanks,
> TIm
>
> On Sun, Jul 26, 2015 at 7:27 PM, Tim Dunphy <[hidden email]
> <javascript:;>> wrote:
>
> > https://www.mediawiki.org/wiki/Manual:$wgDBssl
> >
> >
> > Very cool! Thank you! I'll check this out!
> >
> > On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <[hidden email]
> <javascript:;>>
> > wrote:
> >
> >> https://www.mediawiki.org/wiki/Manual:$wgDBssl
> >>
> >> On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]
> <javascript:;>> wrote:
> >> > Hi all,
> >> >
> >> >   I just added a remote database to my media wiki setup. I can access
> >> the
> >> > database from the command line and using that info the wiki site shows
> >> up
> >> > in a browser and works.
> >> >
> >> >   But some of the data is sensitive so I need to add an ssl user to
> >> access
> >> > the database.
> >> >
> >> >  If i add an ssl user to the db, I can also access it from the command
> >> line
> >> > of the web server no problem:
> >> >
> >> > [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW
> >> DATABASES"
> >> > Enter password:
> >> > +--------------------+
> >> > | Database           |
> >> > +--------------------+
> >> > | certs              |
> >> > | information_schema |
> >> > | jfwiki             |
> >> > | mysql              |
> >> > | performance_schema |
> >> > +--------------------+
> >> >
> >> > But with the ssl user in place in LocalSettings.php, I'm getting this
> >> > response from the browser:
> >> >
> >> > Sorry! This site is experiencing technical difficulties.
> >> >
> >> > Try waiting a few minutes and reloading.
> >> >
> >> > *(Cannot access the database: Access denied for user
> >> > 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> >> > <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password:
> >> YES)
> >> > (db.example.com <http://db.example.com>))*
> >> >
> >> > You can try searching via Google in the meantime.
> >> > Note that their indexes of our content may be out of date.
> >> >
> >> > JF Wiki  WWW
> >> >
> >> > This is what the grant for the user looks like in the database:
> >> >
> >> > MariaDB [(none)]> show grants for  'admin_ssl'@'
> >> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
> >> >
> >>
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >> > | Grants for [hidden email]
> <javascript:;>
> >> >
> >> >                |
> >> >
> >>
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >> > | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
> >> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
> >> > '*somePasswordHash' REQUIRE SSL |
> >> >
> >>
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >> > 1 row in set (0.00 sec)
> >> >
> >> > I was just wondering what I'd need to do to make this work!! All
> >> > suggestions welcomed.
> >> >
> >> > Thanks,
> >> > Tim
> >> >
> >> > --
> >> > GPG me!!
> >> >
> >> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> >> > _______________________________________________
> >> > MediaWiki-l mailing list
> >> > To unsubscribe, go to:
> >> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>
> >> _______________________________________________
> >> MediaWiki-l mailing list
> >> To unsubscribe, go to:
> >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> >
> >
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

Tim Dunphy-2
>
> wgDBssl is a bool setting


Ok, thanks for that info! So this is the what I tried.


## Database settings
$wgLBFactoryConf['class'] = 'LBFactorySimple';
$wgDBservers = '';
$wgDBtype = "mysql";
$wgDBserver = "xx.xx.xx";
$wgDBssl    =  1;
$wgDBname = "jfwiki";
$wgDBuser = "admin_ssl";
$wgDBpassword = "secret";

Bingo!! That one put me over the top. The wiki page comes up.

Thanks for the help!!

All set with SSL connections to the DB. Glad I found out how to do that.

Tim




On Sun, Jul 26, 2015 at 8:30 PM, John <[hidden email]> wrote:

> wgDBssl is a bool setting
>
> On Sunday, July 26, 2015, Tim Dunphy <[hidden email]> wrote:
>
> > The database is actually load balanced behind HA/Proxy. I'm testing from
> > one webserver currently, the other two web servers have been left out of
> > the pool.
> >
> > The connection from the command line as well as the wiki site goes:
> >
> > web server -> lb1 -> db1
> >
> > I can log into db1 from both  the web server as well as the load balancer
> > using the SSL account.
> >
> > I altered my connection string in LocalSettings.php so that it looks like
> > this:
> >
> > ## Database settings
> > $wgLBFactoryConf['class'] = 'LBFactorySimple';
> > $wgDBservers = '';
> > $wgDBtype = "mysql";
> > $wgDBserver = "db.example.com";
> > $wgDBssl    =  "db.example.com";
> > $wgDBname = "jfwiki";
> > $wgDBuser = "admini_ssl";
> > $wgDBpassword = "secret";
> >
> > But I'm getting the same error that points to the load balancer IP in the
> > error message:
> >
> > (Cannot access the database: Access denied for user 'admini_ssl'@'
> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (
> > db.example.com))
> >
> >
> > 'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' is the load balancer.
> >
> > Any ideas on why this is still happening?
> >
> > Thanks,
> > TIm
> >
> > On Sun, Jul 26, 2015 at 7:27 PM, Tim Dunphy <[hidden email]
> > <javascript:;>> wrote:
> >
> > > https://www.mediawiki.org/wiki/Manual:$wgDBssl
> > >
> > >
> > > Very cool! Thank you! I'll check this out!
> > >
> > > On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <[hidden email]
> > <javascript:;>>
> > > wrote:
> > >
> > >> https://www.mediawiki.org/wiki/Manual:$wgDBssl
> > >>
> > >> On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]
> > <javascript:;>> wrote:
> > >> > Hi all,
> > >> >
> > >> >   I just added a remote database to my media wiki setup. I can
> access
> > >> the
> > >> > database from the command line and using that info the wiki site
> shows
> > >> up
> > >> > in a browser and works.
> > >> >
> > >> >   But some of the data is sensitive so I need to add an ssl user to
> > >> access
> > >> > the database.
> > >> >
> > >> >  If i add an ssl user to the db, I can also access it from the
> command
> > >> line
> > >> > of the web server no problem:
> > >> >
> > >> > [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW
> > >> DATABASES"
> > >> > Enter password:
> > >> > +--------------------+
> > >> > | Database           |
> > >> > +--------------------+
> > >> > | certs              |
> > >> > | information_schema |
> > >> > | jfwiki             |
> > >> > | mysql              |
> > >> > | performance_schema |
> > >> > +--------------------+
> > >> >
> > >> > But with the ssl user in place in LocalSettings.php, I'm getting
> this
> > >> > response from the browser:
> > >> >
> > >> > Sorry! This site is experiencing technical difficulties.
> > >> >
> > >> > Try waiting a few minutes and reloading.
> > >> >
> > >> > *(Cannot access the database: Access denied for user
> > >> > 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> > >> > <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password:
> > >> YES)
> > >> > (db.example.com <http://db.example.com>))*
> > >> >
> > >> > You can try searching via Google in the meantime.
> > >> > Note that their indexes of our content may be out of date.
> > >> >
> > >> > JF Wiki  WWW
> > >> >
> > >> > This is what the grant for the user looks like in the database:
> > >> >
> > >> > MariaDB [(none)]> show grants for  'admin_ssl'@'
> > >> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
> > >> >
> > >>
> >
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> > >> > | Grants for [hidden email]
> > <javascript:;>
> > >> >
> > >> >                |
> > >> >
> > >>
> >
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> > >> > | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
> > >> > ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
> > >> > '*somePasswordHash' REQUIRE SSL |
> > >> >
> > >>
> >
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> > >> > 1 row in set (0.00 sec)
> > >> >
> > >> > I was just wondering what I'd need to do to make this work!! All
> > >> > suggestions welcomed.
> > >> >
> > >> > Thanks,
> > >> > Tim
> > >> >
> > >> > --
> > >> > GPG me!!
> > >> >
> > >> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > >> > _______________________________________________
> > >> > MediaWiki-l mailing list
> > >> > To unsubscribe, go to:
> > >> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >>
> > >> _______________________________________________
> > >> MediaWiki-l mailing list
> > >> To unsubscribe, go to:
> > >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> > >>
> > >
> > >
> > >
> > > --
> > > GPG me!!
> > >
> > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > >
> > >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>



--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

Krinkle
I'm glad this works but I'd recommend using =true instead of =1 since 1 is not a boolean, it's an integer.

This may work now but could unexpectedly break in a minor update.

— Krinkle

> On 26 Jul 2015, at 18:47, Tim Dunphy <[hidden email]> wrote:
>
>>
>> wgDBssl is a bool setting
>
>
> Ok, thanks for that info! So this is the what I tried.
>
>
> ## Database settings
> $wgLBFactoryConf['class'] = 'LBFactorySimple';
> $wgDBservers = '';
> $wgDBtype = "mysql";
> $wgDBserver = "xx.xx.xx";
> $wgDBssl    =  1;
> $wgDBname = "jfwiki";
> $wgDBuser = "admin_ssl";
> $wgDBpassword = "secret";
>
> Bingo!! That one put me over the top. The wiki page comes up.
>
> Thanks for the help!!
>
> All set with SSL connections to the DB. Glad I found out how to do that.
>
> Tim
>
>
>
>
> On Sun, Jul 26, 2015 at 8:30 PM, John <[hidden email]> wrote:
>
>> wgDBssl is a bool setting
>>
>> On Sunday, July 26, 2015, Tim Dunphy <[hidden email]> wrote:
>>
>>> The database is actually load balanced behind HA/Proxy. I'm testing from
>>> one webserver currently, the other two web servers have been left out of
>>> the pool.
>>>
>>> The connection from the command line as well as the wiki site goes:
>>>
>>> web server -> lb1 -> db1
>>>
>>> I can log into db1 from both  the web server as well as the load balancer
>>> using the SSL account.
>>>
>>> I altered my connection string in LocalSettings.php so that it looks like
>>> this:
>>>
>>> ## Database settings
>>> $wgLBFactoryConf['class'] = 'LBFactorySimple';
>>> $wgDBservers = '';
>>> $wgDBtype = "mysql";
>>> $wgDBserver = "db.example.com";
>>> $wgDBssl    =  "db.example.com";
>>> $wgDBname = "jfwiki";
>>> $wgDBuser = "admini_ssl";
>>> $wgDBpassword = "secret";
>>>
>>> But I'm getting the same error that points to the load balancer IP in the
>>> error message:
>>>
>>> (Cannot access the database: Access denied for user 'admini_ssl'@'
>>> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (
>>> db.example.com))
>>>
>>>
>>> 'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' is the load balancer.
>>>
>>> Any ideas on why this is still happening?
>>>
>>> Thanks,
>>> TIm
>>>
>>> On Sun, Jul 26, 2015 at 7:27 PM, Tim Dunphy <[hidden email]
>>> <javascript:;>> wrote:
>>>
>>>> https://www.mediawiki.org/wiki/Manual:$wgDBssl
>>>>
>>>>
>>>> Very cool! Thank you! I'll check this out!
>>>>
>>>> On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <[hidden email]
>>> <javascript:;>>
>>>> wrote:
>>>>
>>>>> https://www.mediawiki.org/wiki/Manual:$wgDBssl
>>>>>
>>>>> On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]
>>> <javascript:;>> wrote:
>>>>>> Hi all,
>>>>>>
>>>>>>  I just added a remote database to my media wiki setup. I can
>> access
>>>>> the
>>>>>> database from the command line and using that info the wiki site
>> shows
>>>>> up
>>>>>> in a browser and works.
>>>>>>
>>>>>>  But some of the data is sensitive so I need to add an ssl user to
>>>>> access
>>>>>> the database.
>>>>>>
>>>>>> If i add an ssl user to the db, I can also access it from the
>> command
>>>>> line
>>>>>> of the web server no problem:
>>>>>>
>>>>>> [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW
>>>>> DATABASES"
>>>>>> Enter password:
>>>>>> +--------------------+
>>>>>> | Database           |
>>>>>> +--------------------+
>>>>>> | certs              |
>>>>>> | information_schema |
>>>>>> | jfwiki             |
>>>>>> | mysql              |
>>>>>> | performance_schema |
>>>>>> +--------------------+
>>>>>>
>>>>>> But with the ssl user in place in LocalSettings.php, I'm getting
>> this
>>>>>> response from the browser:
>>>>>>
>>>>>> Sorry! This site is experiencing technical difficulties.
>>>>>>
>>>>>> Try waiting a few minutes and reloading.
>>>>>>
>>>>>> *(Cannot access the database: Access denied for user
>>>>>> 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
>>>>>> <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password:
>>>>> YES)
>>>>>> (db.example.com <http://db.example.com>))*
>>>>>>
>>>>>> You can try searching via Google in the meantime.
>>>>>> Note that their indexes of our content may be out of date.
>>>>>>
>>>>>> JF Wiki  WWW
>>>>>>
>>>>>> This is what the grant for the user looks like in the database:
>>>>>>
>>>>>> MariaDB [(none)]> show grants for  'admin_ssl'@'
>>>>>> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
>>>>>>
>>>>>
>>>
>> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>> | Grants for [hidden email]
>>> <javascript:;>
>>>>>>
>>>>>>               |
>>>>>>
>>>>>
>>>
>> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>> | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
>>>>>> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
>>>>>> '*somePasswordHash' REQUIRE SSL |
>>>>>>
>>>>>
>>>
>> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>>>>> 1 row in set (0.00 sec)
>>>>>>
>>>>>> I was just wondering what I'd need to do to make this work!! All
>>>>>> suggestions welcomed.
>>>>>>
>>>>>> Thanks,
>>>>>> Tim
>>>>>>
>>>>>> --
>>>>>> GPG me!!
>>>>>>
>>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>>> _______________________________________________
>>>>>> MediaWiki-l mailing list
>>>>>> To unsubscribe, go to:
>>>>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>>>
>>>>> _______________________________________________
>>>>> MediaWiki-l mailing list
>>>>> To unsubscribe, go to:
>>>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> GPG me!!
>>>>
>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>>>
>>>>
>>>
>>>
>>> --
>>> GPG me!!
>>>
>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>>> _______________________________________________
>>> MediaWiki-l mailing list
>>> To unsubscribe, go to:
>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> To unsubscribe, go to:
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: use ssl to access the database

Tim Dunphy-2
I'm glad this works but I'd recommend using =true instead of =1 since 1 is
not a boolean, it's an integer.

This may work now but could unexpectedly break in a minor update.

— Krinkle

Cool! Just took your advice. Thanks for the tip!

On Tue, Jul 28, 2015 at 10:42 PM, Krinkle <[hidden email]> wrote:

> I'm glad this works but I'd recommend using =true instead of =1 since 1 is
> not a boolean, it's an integer.
>
> This may work now but could unexpectedly break in a minor update.
>
> — Krinkle
>
> > On 26 Jul 2015, at 18:47, Tim Dunphy <[hidden email]> wrote:
> >
> >>
> >> wgDBssl is a bool setting
> >
> >
> > Ok, thanks for that info! So this is the what I tried.
> >
> >
> > ## Database settings
> > $wgLBFactoryConf['class'] = 'LBFactorySimple';
> > $wgDBservers = '';
> > $wgDBtype = "mysql";
> > $wgDBserver = "xx.xx.xx";
> > $wgDBssl    =  1;
> > $wgDBname = "jfwiki";
> > $wgDBuser = "admin_ssl";
> > $wgDBpassword = "secret";
> >
> > Bingo!! That one put me over the top. The wiki page comes up.
> >
> > Thanks for the help!!
> >
> > All set with SSL connections to the DB. Glad I found out how to do that.
> >
> > Tim
> >
> >
> >
> >
> > On Sun, Jul 26, 2015 at 8:30 PM, John <[hidden email]> wrote:
> >
> >> wgDBssl is a bool setting
> >>
> >> On Sunday, July 26, 2015, Tim Dunphy <[hidden email]> wrote:
> >>
> >>> The database is actually load balanced behind HA/Proxy. I'm testing
> from
> >>> one webserver currently, the other two web servers have been left out
> of
> >>> the pool.
> >>>
> >>> The connection from the command line as well as the wiki site goes:
> >>>
> >>> web server -> lb1 -> db1
> >>>
> >>> I can log into db1 from both  the web server as well as the load
> balancer
> >>> using the SSL account.
> >>>
> >>> I altered my connection string in LocalSettings.php so that it looks
> like
> >>> this:
> >>>
> >>> ## Database settings
> >>> $wgLBFactoryConf['class'] = 'LBFactorySimple';
> >>> $wgDBservers = '';
> >>> $wgDBtype = "mysql";
> >>> $wgDBserver = "db.example.com";
> >>> $wgDBssl    =  "db.example.com";
> >>> $wgDBname = "jfwiki";
> >>> $wgDBuser = "admini_ssl";
> >>> $wgDBpassword = "secret";
> >>>
> >>> But I'm getting the same error that points to the load balancer IP in
> the
> >>> error message:
> >>>
> >>> (Cannot access the database: Access denied for user 'admini_ssl'@'
> >>> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' (using password: YES) (
> >>> db.example.com))
> >>>
> >>>
> >>> 'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' is the load balancer.
> >>>
> >>> Any ideas on why this is still happening?
> >>>
> >>> Thanks,
> >>> TIm
> >>>
> >>> On Sun, Jul 26, 2015 at 7:27 PM, Tim Dunphy <[hidden email]
> >>> <javascript:;>> wrote:
> >>>
> >>>> https://www.mediawiki.org/wiki/Manual:$wgDBssl
> >>>>
> >>>>
> >>>> Very cool! Thank you! I'll check this out!
> >>>>
> >>>> On Sun, Jul 26, 2015 at 3:37 AM, Benjamin Lees <[hidden email]
> >>> <javascript:;>>
> >>>> wrote:
> >>>>
> >>>>> https://www.mediawiki.org/wiki/Manual:$wgDBssl
> >>>>>
> >>>>> On Sat, Jul 25, 2015 at 8:51 PM, Tim Dunphy <[hidden email]
> >>> <javascript:;>> wrote:
> >>>>>> Hi all,
> >>>>>>
> >>>>>>  I just added a remote database to my media wiki setup. I can
> >> access
> >>>>> the
> >>>>>> database from the command line and using that info the wiki site
> >> shows
> >>>>> up
> >>>>>> in a browser and works.
> >>>>>>
> >>>>>>  But some of the data is sensitive so I need to add an ssl user to
> >>>>> access
> >>>>>> the database.
> >>>>>>
> >>>>>> If i add an ssl user to the db, I can also access it from the
> >> command
> >>>>> line
> >>>>>> of the web server no problem:
> >>>>>>
> >>>>>> [root@ops:~] #mysql -uadmin_ssl -p -h db.example.com -e "SHOW
> >>>>> DATABASES"
> >>>>>> Enter password:
> >>>>>> +--------------------+
> >>>>>> | Database           |
> >>>>>> +--------------------+
> >>>>>> | certs              |
> >>>>>> | information_schema |
> >>>>>> | jfwiki             |
> >>>>>> | mysql              |
> >>>>>> | performance_schema |
> >>>>>> +--------------------+
> >>>>>>
> >>>>>> But with the ssl user in place in LocalSettings.php, I'm getting
> >> this
> >>>>>> response from the browser:
> >>>>>>
> >>>>>> Sorry! This site is experiencing technical difficulties.
> >>>>>>
> >>>>>> Try waiting a few minutes and reloading.
> >>>>>>
> >>>>>> *(Cannot access the database: Access denied for user
> >>>>>> 'admin_ssl'@'ec2-xx-xx-xxx-xx.compute-1.amazonaws.com
> >>>>>> <http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com>' (using password:
> >>>>> YES)
> >>>>>> (db.example.com <http://db.example.com>))*
> >>>>>>
> >>>>>> You can try searching via Google in the meantime.
> >>>>>> Note that their indexes of our content may be out of date.
> >>>>>>
> >>>>>> JF Wiki  WWW
> >>>>>>
> >>>>>> This is what the grant for the user looks like in the database:
> >>>>>>
> >>>>>> MariaDB [(none)]> show grants for  'admin_ssl'@'
> >>>>>> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com';
> >>>>>>
> >>>>>
> >>>
> >>
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> | Grants for [hidden email]
> >>> <javascript:;>
> >>>>>>
> >>>>>>               |
> >>>>>>
> >>>>>
> >>>
> >>
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> | GRANT ALL PRIVILEGES ON *.* TO 'admin_ssl'@'
> >>>>>> ec2-xx-xx-xxx-xx.compute-1.amazonaws.com' IDENTIFIED BY PASSWORD
> >>>>>> '*somePasswordHash' REQUIRE SSL |
> >>>>>>
> >>>>>
> >>>
> >>
> +----------------------------------------------------------------------------------------------------------------------------------------------------------------------+
> >>>>>> 1 row in set (0.00 sec)
> >>>>>>
> >>>>>> I was just wondering what I'd need to do to make this work!! All
> >>>>>> suggestions welcomed.
> >>>>>>
> >>>>>> Thanks,
> >>>>>> Tim
> >>>>>>
> >>>>>> --
> >>>>>> GPG me!!
> >>>>>>
> >>>>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> >>>>>> _______________________________________________
> >>>>>> MediaWiki-l mailing list
> >>>>>> To unsubscribe, go to:
> >>>>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>>>>
> >>>>> _______________________________________________
> >>>>> MediaWiki-l mailing list
> >>>>> To unsubscribe, go to:
> >>>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>>>>
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> GPG me!!
> >>>>
> >>>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> >>>>
> >>>>
> >>>
> >>>
> >>> --
> >>> GPG me!!
> >>>
> >>> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> >>> _______________________________________________
> >>> MediaWiki-l mailing list
> >>> To unsubscribe, go to:
> >>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>>
> >> _______________________________________________
> >> MediaWiki-l mailing list
> >> To unsubscribe, go to:
> >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
> >>
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > MediaWiki-l mailing list
> > To unsubscribe, go to:
> > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
> _______________________________________________
> MediaWiki-l mailing list
> To unsubscribe, go to:
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>



--
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l