I’m trying to configure ghost to connect to mysql hosted in a cloud provider. As the db is hosted locally I would like to configure ghost to connect over ssl/tls to my mysql instance.
I have been able to configure the connection without tls/ssl but can’t figure out the ghost config for using tls/ssl. Is anyone able to point me in the right direction with an example?
Thanks dsecareanu I didn’t think of this. I will look in to it, however I’d be surprised if Ghost doesn’t support ssl connection to the mysql, how does everyone else have their connection secured?
Thanks for the article but I can’t see anywhere it addresses securely connecting your application (ghost) to mysql. I already have the database configured and can connect to it but I want to secure the connection for ghost to my cloud provider
Ghost doesn’t explicitly support or lack support for how you connect to your MySQL server. Since most people either use Ghost (Pro), follow the install docs, or use docker, they generally don’t (need to) setup SSL since it’s all communication via sockets.
The underlying SQL Library used by Ghost is Knex; the options are passed directly to it. This issue on GitHub highlights that the connection options passed to Knex are passed to the underlying connection library, which in your case is MySql (node). this part of the docs outlines the configuration you need to setup SSL.
It kind of follows a set of best practices regarding secured connections and networking rather than CMS connecting to a DB Server.
For example, if your ecosystem is all on the same machine, as mentioned above, connection is done through sockets.
If you need to separate the database layer from the web layer, usually this is done in private networks so that the SQL server has no connection with the outside world (i.e. the case with AWS EC2 + RDS).
Connecting via internet between a web server and a dbase server is not a recommended approach as, even if encrypted, you have the security issue of the “man-in-the-middle” and someone can sniff your traffic and try to decrypt it.
I hope this brings a bit more context to your question and the answers provided.
2 example configs I have been playing with (I haven’t configured it based on key yet) Simple
“database”: {
“client”: “mysql”,
“connection”: {
“host”: “127.0.0.1”,
“user”: “user”,
“password”: “pass”,
“database”: “ghostdb”,
“ssl”: {}
}
}
Setting TLS1.2 as the version to use
“database”: {
“client”: “mysql”,
“connection”: {
“host”: “127.0.0.1”,
“user”: “user”,
“password”: “pass”,
“database”: “ghostdb”,
“ssl”: {
“rejectUnauthorized”: “true”,
“secureProtocol”: “TLSv1_2_method”
}
}
}