Securing Connections to Remote MySQL/MariaDB Database Servers¶
summary
If you have one or more remote MySQL/MariaDB database servers registered in Plesk, we recommend that you secure connections between them and Plesk using an SSL/TLS certificate. This will prevent the possibility of sensitive information being intercepted by a third party.
In this topic, you will learn how to secure connections to MySQL/MariaDB database servers with SSL/TLS certificates.
Overview¶
You can use the instructions found in this topic to secure connections to MySQL database servers, and also to MySQL derivatives, such as MariaDB or Percona.
If your Plesk only uses local database server(s), there is no need to secure connections to them.
You can secure connections to database servers using a self-signed SSL/TLS certificate, or a free or paid certificate issued by a certificate authority. A self-signed certificate ensures that connections between Plesk and database servers are encrypted and should be enough in most cases. However, a certificate issued by a certificate authority, free or paid, can also be used to verify a database server’s identity, which helps protect against man-in-the-middle attacks.
Securing Connections to a Remote MySQL/MariaDB Database Server¶
The process of securing connections to remote database servers consists of two steps. First, you need to configure each remote database server to use encrypted connections. Then, you need to enable encrypted connections to database servers in Plesk.
To configure database servers to use encrypted connections, follow the instructions in the corresponding vendor’s documentation:
- Learn how to configure MySQL to use encrypted connections.
- Learn how to configure MariaDB to use encrypted connections.
- Learn how to configure Percona to use encrypted connections.
When following the above instructions, make sure that you add the following optional line to the my.cnf
file:
require_secure_transport=ON
This is to force the database servers to use encrypted connections. The alternative is to
update database users on a per user basis using the ALTER USER
statement, like this:
alter user 'admin'@'localhost' require ssl;
In the latter case, only connections for the updated database users will be encrypted.
Once you have configured all database servers to use encrypted connections, you need to enable encrypted connections to database servers in Plesk. Optionally, you can also configure Plesk to verify database servers’ identities before connecting. This is required to protect against man-in-the-middle attacks.
Enabling encrypted connections to database servers
Add the following lines to the file to enable encrypted connections to database servers:
[database] tls.enable = true;
(Optional) Add the following lines under the ones you just added to verify database servers’ identities before connecting:
tls.verifyServerCert = true; tls.sslCA = <path to the .pem file containing the relevant X.509 certificate(s)>;
The X.509 certificate(s) can be generated via the
openssl
utility (if one or more database servers are secured with self-signed certificates) or requested from the corresponding certificate authority (if one or more database servers are secured with certificates issued by a certificate authority).Note
When Plesk is configured to verify database servers’ identities before connecting, database servers’ hostnames must match those specified in the SSL/TLS certificates they are secured with. Plesk will refuse to connect to a database server whose hostname does not match the name specified in the SSL/TLS certificate it is secured with.
Connections between MySQL/MariaDB database servers and Plesk are now secure and cannot be intercepted by a third party.