Configure mysql over tls/ssl


#1

Hi all,

I’m trying to configure ghost to connect to mysql hosted in a cloud provider. As the db is hosted locally I would like to configure ghost to connect over ssl/tls to my mysql instance.

I have been able to configure the connection without tls/ssl but can’t figure out the ghost config for using tls/ssl. Is anyone able to point me in the right direction with an example?


#2

Not sure if this helps with what you want, but one option would be to connect via a SSH tunnel:


#3

Hi, you didn’t mentioned the provider, but I assume is more or less for the same, check this doc for aws


#4

Thanks dsecareanu I didn’t think of this. I will look in to it, however I’d be surprised if Ghost doesn’t support ssl connection to the mysql, how does everyone else have their connection secured?


#5

Hi afern247,

Thanks for the article but I can’t see anywhere it addresses securely connecting your application (ghost) to mysql. I already have the database configured and can connect to it but I want to secure the connection for ghost to my cloud provider


#6

Ghost doesn’t explicitly support or lack support for how you connect to your MySQL server. Since most people either use Ghost (Pro), follow the install docs, or use docker, they generally don’t (need to) setup SSL since it’s all communication via sockets.

The underlying SQL Library used by Ghost is Knex; the options are passed directly to it. This issue on GitHub highlights that the connection options passed to Knex are passed to the underlying connection library, which in your case is MySql (node). this part of the docs outlines the configuration you need to setup SSL.


#7

It kind of follows a set of best practices regarding secured connections and networking rather than CMS connecting to a DB Server.

For example, if your ecosystem is all on the same machine, as mentioned above, connection is done through sockets.

If you need to separate the database layer from the web layer, usually this is done in private networks so that the SQL server has no connection with the outside world (i.e. the case with AWS EC2 + RDS).

Connecting via internet between a web server and a dbase server is not a recommended approach as, even if encrypted, you have the security issue of the “man-in-the-middle” and someone can sniff your traffic and try to decrypt it.

I hope this brings a bit more context to your question and the answers provided. :slight_smile:


#8

Thanks vikasptluri123 just what I needed.

I have been able to configure ssl/tls to mysql.

If anyone else wants to configure ssl/tls to mysql in the future please see these 2 pages https://www.npmjs.com/package/mysql#ssl-options and https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options for options available.

2 example configs I have been playing with (I haven’t configured it based on key yet)
Simple
“database”: {
“client”: “mysql”,
“connection”: {
“host”: “127.0.0.1”,
“user”: “user”,
“password”: “pass”,
“database”: “ghostdb”,
“ssl”: {}
}
}

Setting TLS1.2 as the version to use
“database”: {
“client”: “mysql”,
“connection”: {
“host”: “127.0.0.1”,
“user”: “user”,
“password”: “pass”,
“database”: “ghostdb”,
“ssl”: {
“rejectUnauthorized”: “true”,
“secureProtocol”: “TLSv1_2_method”
}
}
}


#9

dsecareanu I understand what you are saying but I don’t agree on your comments.

I will leave it at that as this is not a security forum.