Is it possible to connect to a remote db using ssl?
My current situation:
Server1 hosts OJS instances (serves out the http requests)
Server2 hosts the database (mysql service)
How do I connect from Server1 to Server2 via SSL?
Hi @jbrinson,
See this post about the ADODB library and SSL connections. OJS uses ADODBâs Connect/PConnect functions, so you may need to adapt this to use a DSN instead.
Regards,
Alec Smecher
Public Knowledge Project Team
So I am taking that as a no (without changing code).
Is this a feature that is being planned for the future? I hope I am not the only one with this use case.
Hi @jbrinson,
I donât recall hearing a need for this before, so while I think DSN support is a good idea, itâs a low priority, Iâm afraid.
Regards,
Alec Smecher
Public Knowledge Project Team
Itâs an old question and I donât know much about OJS working process structure so, it may exist a better solutionâŠ
The 3.3.0. 8 version of OJS seems to use Lavarel and Doctare models for database connection and the SSL could be configured by the options parameters in the AddConnection() function.
STEP 1 - At the root folder of OJS, create a new php file with the array of SSL options, for instance, âmysql_ssl.phpâ. A content example could be like that:
<?php
return array(
PDO::MYSQL_ATTR_SSL_CA => '../rootCA.pem',
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false
);
?>
STEP 2 - Edit the existent âconfig.inc.phpâ file and add to the [database] section two more configurations options. The first new line option indicates if ssl mode is either âOnâ or âOffâ. The second one indicates the file which contains the ssl configuration (âmysql_ssl.phpâ in our example).
The content added into config.inc.php should be something like:
ssl_mode = On
ssl_options_file = "mysql_ssl.php"
STEP 3 - Edit the file âPKPApplication.inc.phpâ which should be found at âyour_ojs_path/lib/pkp/classes/coreâ and apply these two adjustments:
3.1 - In PKPApplication.inc.php search for âinitializeDatabaseConnection()â function and after the line â$capsule = new Capsule;â, add the following:
$capsule = new Capsule;
// Adjustment to get Database SSL mode options
$opt = [];
if (Config::getVar('database', 'ssl_mode')) {
$opt = include(Config::getVar('database', 'ssl_options_file'));
}
If the âssl_modeâ in âconfig.inc.phpâ is âOnâ, so the âmysql_ssl.phpâ content will be associated with the â$optâ.
3.2 - Search for the â$capsule->addConnectionâ method (it should be the next line after the added lines in step 3.1) and insert the SSL options after the âcollationâ array item by typing âoptionsâ => $opt The result should look like as:
$capsule->addConnection([
'driver' => $driver,
.
.
.
'collation' => Config::getVar('database', 'collation', 'utf8_general_ci'),
'options' => $opt
]);
I am not 100% sure but if you want to process the instalation using ssl mode the STEP 3 (3.1 and 3.2) will be also necessary for the file: âyour_ojs_path/lib/pkp/classes/ install/PKPInstall.inc.php
This is just another +1 for TLS support for database connections. I am frankly surprised that this is an issue; not having TLS supports feels pre-2000s.
Hi @odkr,
OJS is known to perform best when the DBMS and web server are on the same machine, which is the way most users have deployed it. For that reason, encryption between the web server and DBMS hasnât been a high priority. A modification to add TLS support should be fairly simple and a pull request would be welcome, but be warned that youâll see performance issues as your content and readership grows if you host the database on a different machine until we have time to optimize that.
Regards,
Alec Smecher
Public Knowledge Project Team
1 Like
Thanks for the swift reply and sorry that it took me a while. Itâs good to know that youâd accept a PR! Iâll add it to my to-do list; I cannot tell when Iâll get around to it.
Iâm aware that running the DB on another system incurs a performance penalty; we can handle that. Thatâs an aside but: wouldnât any system that couldnât handle that sort of overhead need to be placed behind a reverse proxy, or at the very least, mod_cache, at any rate?
And, just to describe our use case: Using a single DBMS (to the extent possible) makes it easier for us to integrate our systems.
1 Like
Sorry, Iâm not sure I follow â do you mean a scenario where a DBMS was being run externally to the web server, and where performance wasnât acceptable?
Regards,
Alec Smecher
Public Knowledge Project Team
This topic was automatically closed after 13 days. New replies are no longer allowed.