From owner-freebsd-questions@FreeBSD.ORG Tue Apr 7 04:20:18 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 72B1F1065697 for ; Tue, 7 Apr 2009 04:20:18 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com [75.180.132.122]) by mx1.freebsd.org (Postfix) with ESMTP id 38FC98FC1A for ; Tue, 7 Apr 2009 04:20:18 +0000 (UTC) (envelope-from pschmehl_lists@tx.rr.com) Received: from [192.168.2.102] (really [66.25.23.135]) by cdptpa-omta01.mail.rr.com with ESMTP id <20090407042017.HUNX11583.cdptpa-omta01.mail.rr.com@[192.168.2.102]>; Tue, 7 Apr 2009 04:20:17 +0000 Date: Mon, 06 Apr 2009 23:20:16 -0500 From: Paul Schmehl To: DAve , freebsd-questions@freebsd.org Message-ID: <5C4F1A401C316B7D2F625CCF@Macintosh-2.local> In-Reply-To: <49DACB52.8030407@pixelhammer.com> References: <49DAC610.6020404@pixelhammer.com> <200904070328.n373SHdB081955@banyan.cs.ait.ac.th> <49DACB52.8030407@pixelhammer.com> X-Mailer: Mulberry/4.0.8 (Mac OS X) X-Munged-Reply-To: To reply - figure it out MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Cc: Subject: Re: Multiple instances of MySQL X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2009 04:20:19 -0000 --On April 6, 2009 11:41:06 PM -0400 DAve wrote: > Olivier Nicole wrote: >> Hi, >> >>> Has anyone setup two instances of MySQL on the same server? One >>> running just a client's DBs? Any advice would be helpful. >> >> That is not answering your question directly, but MySQL works finr >> over an SSH tunnel. >> >> You'd have your users connect/authenticate with SSH first to establish >> the tunnel, then they'd use the tunnel to forward the NySQl >> connection. > > I doubt the would be an option without a GUI to do everything for the > user. I suggested a VPN which we can setup easily with a Cisco Client. > No answer back from the account manager on that option. > If your client needs a gui to access mysql, why not use phpmyadmin (or a similar gui-based admin utility) and restrict access to his IP(s)? You can do this with your firewall rules or by using .htaccess. You can also force SSL connections, which would protect against MITM attacks on a cleartext session. (You can also require SSL and secure auth for the db and restrict access by IP using the format username@fqdn, but you stated that you're not comfortable depending *only* upon mysql's security capabilities.) However, I would suggest that you provide, as you suggest, a separate instance of mysql just for this client as well. If they screw up the instance they won't affect other customers. To run a separate instance, I would suggest using different names for the binaries, conf files and datadir. This can be easily done using symlinks; e.g. mysql and mysql-special. Then copy the startup script in /usr/local/etc/rc.d/, rename it to mysql-special and edit it to change all references to the newly-named instance. Use a my-special.cnf file for the special instance and reference it in /etc/rc.conf using mysql_args=. Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying