I wrote briefly about securing MySQL last week and Andrew-J2000 suggested he was looking for a bit more depth into the clustering side of the scenario. I have recommended some additional links here for night-table reading to study up on some case studies, documentation and other miscellany involved with clustering MySQL.
When it comes to MySQL - one of the best sources remains the vendor. MySQL AB has developed alot of credibility based on its extensive documentation and depth of community participants in extending tips and techniques. There are numerous links out to further resources including training.
There were some nice links here on O’Reilly. Also, a PDF presentation by Brad Fitzpatrick on Live Journal’s monstrous MySQL implementation which should help.
Finally there is also a very nice How To which includes configuration and security tips by Alex Davies.
July 5th, 2005 at 9:00 pm
Hi Blane,
I should have included replication in that sentence too. Whilst, I have been looking at the benefits of clustering the current environment, I am a little wary of aspects such as “All databases handled by the cluster have to be stored in primary memory. One can spread the data across several nodes, but their combined memory is a limit on the size of databases.”… I see this as an immediate security issue, I’m not sure of any updates to MySQL, such as MySQL5, which has had a number of significant and long over due improvements.
Currently MySQL is being replicated on several servers and is within the corporate intranet; however one thing mentioned in “High Performance MySQL” is that the application servers should be either in the DMZ or on a separate DMZ. Securing MySQL over the wire with SSL, however what are the tradeoffs with regard to replication/clustering?
Mysqld_safe –skip-networking
# Good for Replication, however JDBC doesn’t support Unix Domains apparently.
SHOW VARIABLES LIKE ‘have_openssl’;
GRANT ALL PRIVALEGES ON ssl_only_db.* to ‘username’@’%’
IDENTIFIED BY “XYZ” REQUIRE SSL;
This gets a lot more detailed, and you can require specific cert details from the client, very helpful:) Blocking brute force’s can be limited by the server variable ‘max_connection_errors’. Also chroot mysql
I’ve come across EmicNetworks.com previously, anyone have any information about them at all?
Anyway, thanks for the references:)
July 6th, 2005 at 5:14 pm
As far as use of dmz’s - I always recommend using three dmzs:
One for web servers, one for application servers and the most restricted for database servers. This layering method for larger implementations allows for tighter control on security and downplays the security issue of holding databases in primary memory. However - this does boost the level of hardware one must invest in. Being that only larger projects go to this level of network divisions - the budget usually supports beefier hardware requirements.
I will look through my research on replication and see what I have.