Connecting to MySQL securely - MySQL's SSL vs Stunnel vs SSH Tunneling
We have a PHP application which connects to a MySQL server, and we wish to secure connections between the web & application servers and the database.
At peak times, the web servers make many hundreds of concurrent connections to the database, and perform lots of small reads and writes. I'm aware this isn't optimal, and am working on reducing the number of database connections in parallel to this.
We don't have persistent connections to the database turned on currently, and although we intend to in the future I would like to implement this independently of that.
Hardware wise - the MySQL server is quite chunky (16 core) as are the web servers. They're dedicated servers.
My question then surrounds the most performant way of securing & encrypting the connections to the database server.
My research so far has suggested that the main performance overhead is with setting up the SSL connection - once SSL is connected there is little performance penalty. And here's what I have about each method of securing the connection:
- MySQL SSL Certificates - works just like normal SSL. Can use client certificates to prevent unauthorised connections. No persistent connections with our existing setup. Still have to have MySQL listening on an open port on the firewall.
- stunnel. Set up a port to port ssl tunnel. Do not have to reconfigure MySQL. Can close the normal MySQL listening port to prevent malicious MySQL connection attempts. Does not support persistent connections. Unknown performance hit.
- SSH Tunneling. Create an SSH tunnel between the client and the server. Do not have to reconfigure MySQL. Can close the normal MySQL listening port to prevent malicious MySQL connection attempts. Supports persistent connections, but these sometimes drop out. Unknown performance hit.
This is as far as I've been able to get. I'm aware of the limitations of benchmarks - in my experience of running them it's very difficult to simulate real world traffic. I was hoping that someone had some advice based on their own experiences of securing MySQL?
Thanks
I would go with the ssh-tunnel and do it with autossh
instead of ssh
. About the performance I would say, that the SSH protocol is highly customizable and you could fine tune your connection, if needed.
But I would not expect a noticeable overhead after the connection is set up.
By looking at the benchmarks of this article (MySQL Performance Blog), you should really avoid MySQL’s native SSL capability.