Learn about Centmin Mod LEMP Stack today
Register Now

Centmin firewall not allow AWS RDS connection

Discussion in 'Other Centmin Mod Installed software' started by shivam, Nov 29, 2017.

  1. shivam

    shivam New Member

    7
    2
    3
    Nov 28, 2017
    Ratings:
    +2
    Local Time:
    6:58 AM
    I am trying to connect my wordpress website with AWS RDS. But I was unable to access after providing correct details. then I come to know firewall is not allowing me to connect with remote url. So I added port 3306 in TCP_OUT.

    Still database connection issue. But If disable firewall with

    csf -x

    Its working fine.

    I also tried to add endpoint in whitelist.

    csf -a endpoint_url

    Still its not working. Please help me to get it work

    /** The name of the database for WordPress */
    define( 'DB_NAME', 'rds_database_name_here' );

    /** MySQL database username */
    define( 'DB_USER', 'rds_username_here' );

    /** MySQL database password */
    define( 'DB_PASSWORD', 'rds_password_here' );

    /** MySQL hostname */
    define( 'DB_HOST', 'rds_endpoint' );
     
  2. eva2000

    eva2000 Administrator Staff Member

    31,021
    6,924
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,430
    Local Time:
    11:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    Some questions:
    • Have you previously used and connected to Amazon RDS created database instances/servers on non-Centmin Mod or Centmin Mod based servers with this particular Amazon RDS created database ?
    • If you have successfully used and connected, what was the hardware and software setup there ?
    • Did you have any locally installed configured firewall in place ? What did you use and how was it configured ?
    I haven't used Amazon RDS myself so setting it up properly, configuring proper IAM and security group access is left up to you to do first.

    Centmin Mod Side


    • Centmin Mod's installed CSF Firewall blocks outgoing TCP 3306 port that is usually the default MySQL server listening port. So the only Centmin Mod requirement to connect to Amazon RDS databases like Oracle or MariaDB MySQL database servers is whitelisting TCP 3306 port in CSF Firewall's /etc/csf/csf.conf TCP_OUT and TCP6_OUT comma separated list of white listed allowed ports. Once you have added 3306 to comma separated list of ports in TCP_OUT and TCP6_OUT. You need to restart CSF Firewall services
      Code (Text):
      csf -r

    Amazon RDS side



    Amazon RDS setup is left up to end user yourself to configure properly which includes setting and configuring access via VPC Security Group and/or Security Group listed here. Also AWS RDS best practices guide at http://docs.aws.amazon.com/AmazonRD...estPractices.html#CHAP_BestPractices.Security

    As outlined at http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SettingUp.html the following:
    1. Sign Up for AWS
    2. Create an IAM User
    3. Determine Requirements
    4. Provide Access to the DB Instance in the VPC by Creating a Security Group
    The Getting Started Guides outlined at http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_GettingStarted.html
    Example for MariaDB database creating and connecting to Amazon RDS instance http://docs.aws.amazon.com/AmazonRD...ettingStarted.CreatingConnecting.MariaDB.html
     
  3. shivam

    shivam New Member

    7
    2
    3
    Nov 28, 2017
    Ratings:
    +2
    Local Time:
    6:58 AM
    Please provide solution instead on asking question replied 3 times. Your support team just giving info to post from here to here. no exact solution.

    Yes, I have experience with RDS previously more than 10 websites working perfectly fine.

    Already tried TCP_OUT port whitelisting. mention on the issue.

    Expecting solution, not queries.

    Thanks
     
  4. eva2000

    eva2000 Administrator Staff Member

    31,021
    6,924
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,430
    Local Time:
    11:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    Questions are asked so I can better understand your problem. Without that I can't help you even if I wanted.

    Anyway, I have just tested AWS RDS MariaDB database instance out for the first time and it works fine doing what I outlined above links in post reply #2 - following all the linked AWS RDS documentation to the letter and making sure to properly configure the RDS instances VPC Security Group's inbound TCP rules. Only thing on Centmin Mod side is allowing 3306 port in CSF Firewall. The rest if AWS RDS VPC security group configuration side left to end user. If you are unsure how to setup AWS RDS, then contact AWS RDS tech support.

    Working AWS RDS MariaDB instance example of without vs with proper AWS RDS VPS security group configuration at https://gist.github.com/centminmod/1c4028428e66d4832a6fcbe55bf8be14
     
  5. eva2000

    eva2000 Administrator Staff Member

    31,021
    6,924
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,430
    Local Time:
    11:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    output for command
    Code (Text):
    egrep '^TCP_OUT|^TCP6_OUT' /etc/csf/csf.conf
    

    i.e.
    Code (Text):
    egrep '^TCP_OUT|^TCP6_OUT' /etc/csf/csf.conf
    TCP_OUT = "993,995,465,587,1110,1194,9418,20,21,22,25,53,80,110,113,443,587,993,995,3306"
    TCP6_OUT = "993,995,465,587,20,21,22,25,53,80,110,113,443,587,993,995,3306"
    
     
  6. shivam

    shivam New Member

    7
    2
    3
    Nov 28, 2017
    Ratings:
    +2
    Local Time:
    6:58 AM
    Already mention that I am able to connect with AWS RDS but if firewall is disable. So there is no issue at configuration. Issue is only how to unblock RDS endpoint in firewall so it will work as expected.
     
  7. eva2000

    eva2000 Administrator Staff Member

    31,021
    6,924
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,430
    Local Time:
    11:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    did you restart csf firewall
    Code (Text):
    csf -r
    
     
  8. eva2000

    eva2000 Administrator Staff Member

    31,021
    6,924
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,430
    Local Time:
    11:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    Also double check using mysql client command on your Centmin Mod server to see where the problem is i.e.

    Commands run on Centmin Mod LEMP stack to AWS RDS endpoint where you define the variables below

    endpoint=endpoint name
    USERNAME=mariadb master username
    PASSWORD=mariadb master username's password

    csf firewall without TCP_OUT/TCP6_OUT whitelisted 3306 port
    Code (Text):
    mysql -h $endpoint -P 3306 -u$USERNAME -p$PASSWORD
    ERROR 2003 (HY000): Can't connect to MySQL server on 'AWSENDPOINT.ca-central-1.rds.amazonaws.com' (111 "Connection refused")
    

    AWS RDS without properly configured RDS VPC Security Group TCP inbound 3306 allowed Centmin Mod server IP address
    Code (Text):
    mysql -h $endpoint -P 3306 -u$USERNAME -p$PASSWORD
    ERROR 2003 (HY000): Can't connect to MySQL server on 'AWSENDPOINT.ca-central-1.rds.amazonaws.com' (110 "Connection timed out")
    
     
  9. shivam

    shivam New Member

    7
    2
    3
    Nov 28, 2017
    Ratings:
    +2
    Local Time:
    6:58 AM
    Thanks @eva2000

    Now its working.

    Issue solved after adding TCP6_OUT with 3306 port

    and

    csf -r

    Thanks for your support :)
     
    • Like Like x 1
  10. eva2000

    eva2000 Administrator Staff Member

    31,021
    6,924
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,430
    Local Time:
    11:28 AM
    Nginx 1.13.x
    MariaDB 5.5
    Looks like your VPS has IPv6 networking so was preferred connection to AWS RDS