mySQL with SSL over cloud networks


#1

I use an external cloud hosted mySQL DB for local development after verifying with sqlite. The site is then pushed to the cloud and connects to mySQL for production hosting. Since it is a cloud mySQL, traffic may be routed outside of the app server hosted network

I didn’t see any documentation on how to enable via configuration.

I added

        if(dbConfig.connection.ssl && dbConfig.connection.ssl.ca){
            dbConfig.connection.ssl.ca = fs.readFileSync(dbConfig.connection.ssl.ca);
        }

to core/server/data/connection.js

Is this the correct way to enable ssl for mySQL?


#2

Hi Chad (@cchatfield

What DBaaS product are you using?

Thanks,

Tim


#3

Azure DB for MySQL Server


#4

Under the hood Ghost uses knex which in turn uses the mysql npm package. knex proxies all connection configuration through to the underlying mysql client connection.

If you’re using RDS, you won’t need to load any certificates in as their is a “profile” for “Amazon RDS”. You should be able to add it to your Ghost configuration like:

"database": {
  "client": "mysql",
  "connection": {
    "host": "your_database_url",
    "port": 3306,
    "user": "your_database_user",
    "password": "your_database_password",
    "database": "your_database_name",
    "ssl": "Amazon RDS"
  }
}

Personally, I would recommend against opening your MySQL instance up to the WWW. Instead you might want to consider SSH port forwarding through a “bastion” host (or the host running Ghost). This way, traffic will be encrypted, no extra configuration will be required and your DB isn’t exposed publicly.

I’d also recommend against hacking at the Ghost core files. It makes updates almost impossible.

Hopefully this helps you but let me know if you really do need custom CA certs / SSL over the internet let me know :slight_smile:

Thanks,

Tim.


#5

Only just received the above…


#6

OK, Good news!

Azure uses the Baltimore Cyber Trust Root CA for SSL which is in the Mozilla trusted CA list (https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport). The Mozilla trusted CA list is the default used by the node tls API as detailed here: https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options

That means setting your ghost config to:

"database": {
  "client": "mysql",
  "connection": {
    "host": "your_database_url",
    "port": 3306,
    "user": "your_database_user",
    "password": "your_database_password",
    "database": "your_database_name",
    "ssl": true
  }
}

Should do what you want. I haven’t tested this myself but let me know if it works for you :slight_smile:

Thanks,

Tim.


#7

cool - will try that out and see if it works


#8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.