faqts : Computers : Programming : Languages : PHP : Installation and Setup : Security

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

13 of 13 people (100%) answered Yes
Recently 7 of 7 people (100%) answered Yes

Entry

How can I access a secure database server from a PHP web server?
How should I setup my web server network so the database server is not accessible to people?

May 18th, 2000 05:25
Nathan Wallace, Rick Widmer
 


You establish a second, separate network between the web servers and the
database server.  As long as the web servers don't forward packets the
two networks can never communicate, yet the web servers can access both
the Internet and the database server.

The key to security is not so much locking down the ports on the
database server as making sure the web servers do not forward packets
to/from the Internet. I'm not saying don't lock down unneeded ports,
that is common sense, just pointing out the key is not forwarding
packets thru the web servers.

How to set it up...


Database Server:

This machine is fairly normal and has only one network card. Shut off
everything but the database server.  No sendmail, httpd, etc. Disable
anything you don't _need_ in inetd.conf. If you don't need any inetd
services don't start the daemon.  

Pick an IP address from RFC1918 address space. (10.x.x.x, 192.168.x.x
and one other block I don't remember.) Add this address to your
/etc/hosts files or DNS so web server(s) can find the database server.


The Database Network:

Connect the database machine to a new hub or switch that is NOT
connected to the Internet.  If there is only one web server you can use
a crossover cable.  Connect the second network card in each web server
to the database network hub.  Make SURE it connects to nothing but web
servers that need access to the hidden database server.  One possible
exception would be a backup server. (As in a box with a tape drive.) It
would be able to see the web servers and the database, but not the
Internet, or your news and mail servers.


Web server(s):

Add a second network card.  Pick an RFC1918 address in the same subnet
as the database server.
Connect it to the database network.

Make sure IP forwarding is OFF, so the machine will not route packets
from one interface to the other.  THIS IS VERY IMPORTANT!!!  I compile
static kernels with IP Forwarding disabled for my servers.

Make sure the database server is referenced in /etc/hosts or DNS so you
can list it by name in the hostname parameter of all your scripts.

Start pointing your scripts at the hidden database server.