From owner-freebsd-questions@FreeBSD.ORG Mon Oct 20 21:45:57 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 83A831065673 for ; Mon, 20 Oct 2008 21:45:57 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: from mx1.identry.com (on.identry.com [66.111.0.194]) by mx1.freebsd.org (Postfix) with ESMTP id 368C28FC19 for ; Mon, 20 Oct 2008 21:45:57 +0000 (UTC) (envelope-from jalmberg@identry.com) Received: (qmail 11914 invoked by uid 89); 20 Oct 2008 21:45:56 -0000 Received: from unknown (HELO ?192.168.1.110?) (jalmberg@75.127.142.66) by mx1.identry.com with ESMTPA; 20 Oct 2008 21:45:56 -0000 Mime-Version: 1.0 (Apple Message framework v753.1) In-Reply-To: <20081020212103.GA13334@icarus.home.lan> References: <8B945891-5F96-4FBF-8175-15F67F03DD92@identry.com> <48D8F881.1010000@unsane.co.uk> <912A74FB-0292-4A53-B480-34FE69D9C465@identry.com> <20081020212103.GA13334@icarus.home.lan> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <007ABF71-6D85-4849-A9E7-933D18236EE8@identry.com> Content-Transfer-Encoding: 7bit From: John Almberg Date: Mon, 20 Oct 2008 17:45:55 -0400 To: freebsd-questions@freebsd.org X-Mailer: Apple Mail (2.753.1) Subject: Re: mysql connection through ssl tunnel X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 21:45:57 -0000 On Oct 20, 2008, at 5:21 PM, Jeremy Chadwick wrote: > On Mon, Oct 20, 2008 at 03:25:23PM -0400, John Almberg wrote: >> On Sep 23, 2008, at 10:09 AM, Vincent Hoffman wrote: >>> John Almberg wrote: >>>> I have two FreeBSD machines. One is a application server, the >>>> other a >>>> database server running mysql. These machines are in two different >>>> locations. I'd like to allow the application server to access mysql >>>> through an SSH tunnel. > > I'm somewhat amazed at the fact that everyone so far has gone > completely > wild with SSH to solve this problem. > > Has anyone made the OP aware that MySQL *does* in fact support SSL > natively, and that it can be used between client and server, as > well as > between master and slave (for replication)? > > The SSH tunnelling idea is fine if you want to access a MySQL server > behind a firewall or on a private network, but I'm a bit confused > as to > why everyone's going to great lengths to use SSH to accomplish > something > MySQL has support for natively. > > Please clue me in. :-) Hi Jeremy, There are two PF firewalls in the mix, one at each end. The two machines are in different data centers. Actually, that is motivation behind this exercise. The client wants the database in his own data center, since it contains information he needs to have physical control over. I do know that Mysql supports SSL... somehow this got discounted early in the discussion, perhaps mistakenly? Anyway, the autossh option works perfectly, so I think I will stick with that unless there's a good reason not to. I have Monit running on the remote server, so I can probably monitor/restart autossh with that (with another few hours reading, of course :-) -- John