Welcome to Centmin Mod Community
Become a Member

MariaDB Security Secure MariaDB SSL external access?

Discussion in 'MariaDB & General MySQL news & discussions' started by redbird, Sep 22, 2023.

  1. redbird

    redbird Member

    84
    13
    8
    Aug 28, 2015
    Web
    Ratings:
    +22
    Local Time:
    12:43 AM
    Is there a script to set up MariaDB being accessible externally via SSL?


    Or a tutorial on how to set it up correctly in centminmod.

    Thanks.
     
    Last edited: Sep 22, 2023
  2. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Centmin Mod MariaDB MySQL is installed from official MariaDB MySQL YUM repo, so generally the same process outlined by online guides and official documentation are the same. Though Centmin Mod doesn't use /etc/mysql/mariadb.conf.d directory method of configuring MariaDB MySQL. Instead everything is configured in /etc/my.cnf, so ensure you backup /etc/my.cnf first.

    You'll need to configure both Centmin Mod MariaDB MySQL for remote inbound connection handling by granting a remote MySQL user priveleges and also configure Centmin Mod's CSF Firewall (https://centminmod.com/csf_firewall.html) to allow to connect to MariaDB MySQL port 3306 + also configure the client connecting MySQL server/web app/scripts that connect and talk to Centmin Mod MariaDB MySQL.

    For granting Centmin Mod MariaDB MySQL inbound MySQL TCP 3306 port access from remote server via CSF Firewall you can set as very 1st entry in /etc/csf/csf.allow the following:
    Code (Text):
    tcp|in|d=3306|s=YOUR_REMOTE_IP_ADDRESS
    

    • tcp: Specifies the protocol (TCP in this case).
    • in: Specifies the direction (inbound).
    • d=3306: Specifies the destination port (3306 for MySQL/MariaDB).
    • s=YOUR_REMOTE_IP_ADDRESS: Specifies the source IP address that is allowed to connect to this port.
    Then restart CSF Firewall
    Code (Text):
    csf -ra
    

    Note, newer Centmin Mod 130.00beta01 after May 19, 2023 updated CSF Firewall to allow outbound TCP 3306 by default in CSF Firewall update CSF Firewall to allow external MySQL 3306 port in 130.00beta01 ยท centminmod/centminmod@194800e for TCP_OUT and TCP6_OUT comma separated list of whitelisted ports in /etc/csf/csf.conf. Not to be confused with above inbound TCP 3306 setup. Prior Centmin Mod versions, didn't allow outbound TCP 3306 by default. So if the remote web server trying to connect to Centmin Mod MariaDB MySQL is also Centmin Mod LEMP stack based, on the remote web server, you would need to update CSF Firewall to allow outbound TCP 3306 by default in CSF Firewall for TCP_OUT and TCP6_OUT comma separated list of whitelisted ports in /etc/csf/csf.conf and restart CSF Firewall too.

    Correction, when I refer to outbound TCP it's for TCP_OUT and TCP6_OUT in /etc/csf/csf.conf

    For the rest, Google search for 'mariadb 10 ssl setup' gives me
    Then, any web app/script would need to support MySQL SSL connections to be able to connect to Centmin Mod MariaDB MySQL SSL setup and that would depend on the web app/script itself. If they don't support MySQL SSL setup, then you probably need to do a non-SSL setup and just regular remote MySQL setup. If you setup CSF Firewall and MySQL remote user grant privileges correctly, no one else should be able to connect to Centmin Mod MariaDB MySQL remotely.
     
  3. eva2000

    eva2000 Administrator Staff Member

    53,558
    12,135
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,678
    Local Time:
    12:43 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Made some typos above. Correction, when I refer to outbound TCP it's for TCP_OUT and TCP6_OUT in /etc/csf/csf.conf