Page MenuHomePhorge
Create Task
Maniphest T15102

Implement SSL connection for database
Closed, DuplicatePublic
Actions

Description

Hi Guys

I'm not directly involved in PH dev so I ask you.

Could You implement settings for the SSL database connection?

Currently, I'm using a simple hack:

@@ -71,6 +71,12 @@ final class AphrontMySQLiDatabaseConnection
       $conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $timeout);
     }

+    /**
+     * CUSTOM CODE!
+     */
+    $conn->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
+    $conn->ssl_set('/folder/client-key.pem', '/folder/client-cert.pem', '/folder/ca.pem', NULL,NULL);
+
     if ($this->getPersistent()) {
       $host = 'p:'.$host;
     }

It will be nice to have an official config for it.

Related Objects

Event Timeline

martin created this task.Jun 29 2022, 15:23
Herald added subscribers: Matthew, chris, speck, tobiaswiese. · View Herald TranscriptJun 29 2022, 15:23
martin added a comment.EditedJul 1 2022, 09:46

Somehow this work ok with standard web serving but when trying run form phd daemon I'm getting:

PHLOG: 'Retrying database connection to "123.123.123.123" after connection failure (attempt 2; "AphrontConnectionQueryException"; error #2002): Attempt to connect to pha-user@123.123.123.123 failed with error #2002: .' at [/phabricator/src/infrastructure/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:138]

AphrontConnectionQueryException: Attempt to connect to pha-user@10.255.10.32 failed with error #2002: . at [<phabricator>/src/infrastructure/storage/lisk/PhabricatorLiskDAO.php:177]
arcanist(head=master, ref.master=85c953ebe4a6), phabricator(head=master, ref.master=97ab25732d41)
  #0 PhabricatorLiskDAO::raiseUnreachable(string, AphrontConnectionQueryException) called at [<phabricator>/src/infrastructure/storage/lisk/PhabricatorLiskDAO.php:134]
  #1 PhabricatorLiskDAO::newClusterConnection(string, string, string) called at [<phabricator>/src/infrastructure/storage/lisk/PhabricatorLiskDAO.php:70]
  #2 PhabricatorLiskDAO::establishLiveConnection(string) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:856]
  #3 LiskDAO::establishConnection(string) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:521]
  #4 LiskDAO::loadRawDataWhere(string, string) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:481]
  #5 LiskDAO::loadAllWhere(string, string) called at [<phabricator>/src/infrastructure/env/PhabricatorConfigDatabaseSource.php:18]
  #6 PhabricatorConfigDatabaseSource::loadConfig(string) called at [<phabricator>/src/infrastructure/env/PhabricatorConfigDatabaseSource.php:7]
  #7 PhabricatorConfigDatabaseSource::__construct(string) called at [<phabricator>/src/infrastructure/env/PhabricatorEnv.php:262]
  #8 PhabricatorEnv::buildConfigurationSourceStack(boolean) called at [<phabricator>/src/infrastructure/env/PhabricatorEnv.php:95]
  #9 PhabricatorEnv::initializeCommonEnvironment(boolean) called at [<phabricator>/src/infrastructure/env/PhabricatorEnv.php:75]
  #10 PhabricatorEnv::initializeScriptEnvironment(boolean) called at [<phabricator>/scripts/init/lib.php:26]
  #11 init_phabricator_script(array) called at [<phabricator>/scripts/init/init-script.php:9]
  #12 require_once(string) called at [<phabricator>/scripts/__init_script__.php:3]
  #13 require_once(string) called at [<phabricator>/scripts/daemon/manage_daemons.php:5]
avivey awarded a token.Aug 31 2022, 20:28
Cigaryno subscribed.Sep 18 2022, 06:20
pasik subscribed.Sep 20 2022, 19:53
valerio.bozzolan subscribed.Mar 16 2023, 18:49

Let's try to exclude some things. Are you sure that the phd is executing that file - just like the frontend? It happens sometime that some people has both Phorge and Phabricator and phd runs some files and the frontend some others. Are you using CentOS or any other distribution with SELinux enabled or this kind of security restrictions? Is there any security directive set in the systemd unit of phd? I think you are doing everything just right, but thank you for clarifying what you tried.

avivey closed this task as Spite.Apr 6 2023, 09:57
avivey claimed this task.
avivey subscribed.

Merging this task into T15045.

avivey mentioned this in T15045: Support SSL/TLS for MariaDB connections.Apr 6 2023, 10:00
Cigaryno reopened this task as Open.Apr 6 2023, 10:00
Cigaryno mentioned this in Z1: Phorge.
Cigaryno closed this task as a duplicate of T15045: Support SSL/TLS for MariaDB connections.
valerio.bozzolan edited projects, added Config; removed Config (archived).Apr 27 2023, 07:57
Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0