Page MenuHomePhorge

Implement SSL connection for database
Closed, DuplicatePublic

Description

Hi Guys

I'm not directly involved in PH dev so I ask you.

Could You implement settings for the SSL database connection?

Currently, I'm using a simple hack:

@@ -71,6 +71,12 @@ final class AphrontMySQLiDatabaseConnection
       $conn->options(MYSQLI_OPT_CONNECT_TIMEOUT, $timeout);
     }

+    /**
+     * CUSTOM CODE!
+     */
+    $conn->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
+    $conn->ssl_set('/folder/client-key.pem', '/folder/client-cert.pem', '/folder/ca.pem', NULL,NULL);
+
     if ($this->getPersistent()) {
       $host = 'p:'.$host;
     }

It will be nice to have an official config for it.

Event Timeline

Somehow this work ok with standard web serving but when trying run form phd daemon I'm getting:

PHLOG: 'Retrying database connection to "123.123.123.123" after connection failure (attempt 2; "AphrontConnectionQueryException"; error #2002): Attempt to connect to pha-user@123.123.123.123 failed with error #2002: .' at [/phabricator/src/infrastructure/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:138]

AphrontConnectionQueryException: Attempt to connect to pha-user@10.255.10.32 failed with error #2002: . at [<phabricator>/src/infrastructure/storage/lisk/PhabricatorLiskDAO.php:177]
arcanist(head=master, ref.master=85c953ebe4a6), phabricator(head=master, ref.master=97ab25732d41)
  #0 PhabricatorLiskDAO::raiseUnreachable(string, AphrontConnectionQueryException) called at [<phabricator>/src/infrastructure/storage/lisk/PhabricatorLiskDAO.php:134]
  #1 PhabricatorLiskDAO::newClusterConnection(string, string, string) called at [<phabricator>/src/infrastructure/storage/lisk/PhabricatorLiskDAO.php:70]
  #2 PhabricatorLiskDAO::establishLiveConnection(string) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:856]
  #3 LiskDAO::establishConnection(string) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:521]
  #4 LiskDAO::loadRawDataWhere(string, string) called at [<phabricator>/src/infrastructure/storage/lisk/LiskDAO.php:481]
  #5 LiskDAO::loadAllWhere(string, string) called at [<phabricator>/src/infrastructure/env/PhabricatorConfigDatabaseSource.php:18]
  #6 PhabricatorConfigDatabaseSource::loadConfig(string) called at [<phabricator>/src/infrastructure/env/PhabricatorConfigDatabaseSource.php:7]
  #7 PhabricatorConfigDatabaseSource::__construct(string) called at [<phabricator>/src/infrastructure/env/PhabricatorEnv.php:262]
  #8 PhabricatorEnv::buildConfigurationSourceStack(boolean) called at [<phabricator>/src/infrastructure/env/PhabricatorEnv.php:95]
  #9 PhabricatorEnv::initializeCommonEnvironment(boolean) called at [<phabricator>/src/infrastructure/env/PhabricatorEnv.php:75]
  #10 PhabricatorEnv::initializeScriptEnvironment(boolean) called at [<phabricator>/scripts/init/lib.php:26]
  #11 init_phabricator_script(array) called at [<phabricator>/scripts/init/init-script.php:9]
  #12 require_once(string) called at [<phabricator>/scripts/__init_script__.php:3]
  #13 require_once(string) called at [<phabricator>/scripts/daemon/manage_daemons.php:5]

Let's try to exclude some things. Are you sure that the phd is executing that file - just like the frontend? It happens sometime that some people has both Phorge and Phabricator and phd runs some files and the frontend some others. Are you using CentOS or any other distribution with SELinux enabled or this kind of security restrictions? Is there any security directive set in the systemd unit of phd? I think you are doing everything just right, but thank you for clarifying what you tried.

avivey claimed this task.
avivey subscribed.

Merging this task into T15045.

Cigaryno mentioned this in Z1: Phorge.
Cigaryno closed this task as a duplicate of T15045: Support SSL/TLS for MariaDB connections.