mySQL with SSL over cloud networks

cchatfield · October 18, 2018, 3:30pm

I use an external cloud hosted mySQL DB for local development after verifying with sqlite. The site is then pushed to the cloud and connects to mySQL for production hosting. Since it is a cloud mySQL, traffic may be routed outside of the app server hosted network

I didn’t see any documentation on how to enable via configuration.

I added

        if(dbConfig.connection.ssl && dbConfig.connection.ssl.ca){
            dbConfig.connection.ssl.ca = fs.readFileSync(dbConfig.connection.ssl.ca);
        }

to core/server/data/connection.js

Is this the correct way to enable ssl for mySQL?

tim-ghost · October 18, 2018, 3:47pm

Hi Chad (@cchatfield

What DBaaS product are you using?

Thanks,

Tim

cchatfield · October 18, 2018, 4:13pm

Azure DB for MySQL Server

tim-ghost · October 18, 2018, 4:14pm

Under the hood Ghost uses knex which in turn uses the mysql npm package. knex proxies all connection configuration through to the underlying mysql client connection.

If you’re using RDS, you won’t need to load any certificates in as their is a “profile” for “Amazon RDS”. You should be able to add it to your Ghost configuration like:

"database": {
  "client": "mysql",
  "connection": {
    "host": "your_database_url",
    "port": 3306,
    "user": "your_database_user",
    "password": "your_database_password",
    "database": "your_database_name",
    "ssl": "Amazon RDS"
  }
}

Personally, I would recommend against opening your MySQL instance up to the WWW. Instead you might want to consider SSH port forwarding through a “bastion” host (or the host running Ghost). This way, traffic will be encrypted, no extra configuration will be required and your DB isn’t exposed publicly.

I’d also recommend against hacking at the Ghost core files. It makes updates almost impossible.

Hopefully this helps you but let me know if you really do need custom CA certs / SSL over the internet let me know

Thanks,

Tim.

tim-ghost · October 18, 2018, 4:16pm

Only just received the above…

tim-ghost · October 18, 2018, 4:24pm

OK, Good news!

Azure uses the Baltimore Cyber Trust Root CA for SSL which is in the Mozilla trusted CA list (https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport). The Mozilla trusted CA list is the default used by the node tls API as detailed here: TLS (SSL) | Node.js v19.4.0 Documentation

That means setting your ghost config to:

"database": {
  "client": "mysql",
  "connection": {
    "host": "your_database_url",
    "port": 3306,
    "user": "your_database_user",
    "password": "your_database_password",
    "database": "your_database_name",
    "ssl": true
  }
}

Should do what you want. I haven’t tested this myself but let me know if it works for you

Thanks,

Tim.

cchatfield · October 18, 2018, 4:43pm

cool - will try that out and see if it works

system · November 1, 2018, 4:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configure mysql over tls/ssl Developer help	9	3972	August 22, 2018
Ghost with connection to central MySQL server in Microsoft Azure Cloud with SSL Self-hosting	1	321	February 1, 2023
Unable to connect to database due to Connections using insecure transport are prohibited while --require_secure_transport=ON Self-hosting	2	446	January 2, 2024
Database Connection TLS issue with Azure Database for MySQL flexible server Self-hosting	1	100	February 28, 2024
Use Amazon certificate with Route53 instead of LetsEncrypt Developer help	2	540	August 13, 2020

mySQL with SSL over cloud networks

Related Topics