Thread: php, postgres, ssl
Is it posible to connect from php to a remote postgres server through a secure connection? How? -- System Administration: It's a dirty job, but someone told me I had to do it. ----------------------------------------------------------------- Martín Marqués email: martin@math.unl.edu.ar Santa Fe - Argentina http://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar -----------------------------------------------------------------
I'd assume that would be totally independent of PHP. You'd probably have to setup your webserver to connect to the postgres server over an encrypted line... like using IPSEC or something. Then have PHP connect as normal... the IPSEC layer would encrypt all transmissions. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Martin A. Marques" <martin@math.unl.edu.ar> To: <pgsql-php@postgresql.org> Sent: Tuesday, March 20, 2001 4:43 PM Subject: [PHP] php, postgres, ssl > Is it posible to connect from php to a remote postgres server through a > secure connection? > How? > > -- > System Administration: It's a dirty job, > but someone told me I had to do it. > ----------------------------------------------------------------- > Martín Marqués email: martin@math.unl.edu.ar > Santa Fe - Argentina http://math.unl.edu.ar/~martin/ > Administrador de sistemas en math.unl.edu.ar > ----------------------------------------------------------------- > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly
El Mié 21 Mar 2001 10:46, escribiste: > I'd assume that would be totally independent of PHP. You'd probably have > to setup your webserver to connect to the postgres server over an encrypted > line... like using IPSEC or something. Then have PHP connect as normal... > the IPSEC layer would encrypt all transmissions. Well, then I'm even more confused. Lets see if I'm lost, or not. Browser A conects to Server (Apache with PHP). The page (say index.php) has a pg_connect("host=hostname dbname=dbname password=dpass"). As far as I can see, PHP is doing the conection stuff here, and apache has nothing to do with it. Any comments? Saludos... ;-) -- System Administration: It's a dirty job, but someone told me I had to do it. ----------------------------------------------------------------- Martín Marqués email: martin@math.unl.edu.ar Santa Fe - Argentina http://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar -----------------------------------------------------------------
Correct, all it does is connect straight to the database. It doesn't have anything to involve encryption... it doesn't care. So, you'll probably need to secure the path yourself, ie IPSEC. Someone else may have a better idea, but this is all I can think of. Typically though, you shouldn't have PHP connect to a database over a connection that is insecure/public. Any reason this is a concern? Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Martin A. Marques" <martin@math.unl.edu.ar> To: "Adam Lang" <aalang@rutgersinsurance.com>; <pgsql-php@postgresql.org> Sent: Wednesday, March 21, 2001 3:41 PM Subject: Re: [PHP] php, postgres, ssl > El Mié 21 Mar 2001 10:46, escribiste: > > I'd assume that would be totally independent of PHP. You'd probably have > > to setup your webserver to connect to the postgres server over an encrypted > > line... like using IPSEC or something. Then have PHP connect as normal... > > the IPSEC layer would encrypt all transmissions. > > Well, then I'm even more confused. > Lets see if I'm lost, or not. > > Browser A conects to Server (Apache with PHP). The page (say index.php) has a > pg_connect("host=hostname dbname=dbname password=dpass"). As far as I can > see, PHP is doing the conection stuff here, and apache has nothing to do with > it. > > Any comments? > > Saludos... ;-) > > -- > System Administration: It's a dirty job, > but someone told me I had to do it. > ----------------------------------------------------------------- > Martín Marqués email: martin@math.unl.edu.ar > Santa Fe - Argentina http://math.unl.edu.ar/~martin/ > Administrador de sistemas en math.unl.edu.ar > -----------------------------------------------------------------
El Mié 21 Mar 2001 18:33, Adam Lang escribió: > Correct, all it does is connect straight to the database. It doesn't have > anything to involve encryption... it doesn't care. So, you'll probably > need to secure the path yourself, ie IPSEC. > > Someone else may have a better idea, but this is all I can think of. > Typically though, you shouldn't have PHP connect to a database over a > connection that is insecure/public. > > Any reason this is a concern? Well, I thought about this, because I was trying to build something like it. A web server, and a database server, seperated! So I thought, if Postgres accepts hostssl connections (if compiled with ssl support), why doesn't PHP use this powerfull feature? Would it be difficult to build a pg_connectssl function in PHP that would do this? Saludos... :-) -- System Administration: It's a dirty job, but someone told me I had to do it. ----------------------------------------------------------------- Martín Marqués email: martin@math.unl.edu.ar Santa Fe - Argentina http://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar -----------------------------------------------------------------
Hmm... I don't know. Very interesting question. But unless you have some fear of someone sniffing the line between your webserver and the database server, it isn't much of a concern I'd assume. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Martin A. Marques" <martin@math.unl.edu.ar> To: "Adam Lang" <aalang@rutgersinsurance.com>; <pgsql-php@postgresql.org> Sent: Wednesday, March 21, 2001 4:38 PM Subject: Re: [PHP] php, postgres, ssl > El Mié 21 Mar 2001 18:33, Adam Lang escribió: > > Correct, all it does is connect straight to the database. It doesn't have > > anything to involve encryption... it doesn't care. So, you'll probably > > need to secure the path yourself, ie IPSEC. > > > > Someone else may have a better idea, but this is all I can think of. > > Typically though, you shouldn't have PHP connect to a database over a > > connection that is insecure/public. > > > > Any reason this is a concern? > > Well, I thought about this, because I was trying to build something like it. > A web server, and a database server, seperated! So I thought, if Postgres > accepts hostssl connections (if compiled with ssl support), why doesn't PHP > use this powerfull feature? > Would it be difficult to build a pg_connectssl function in PHP that would do > this? > > Saludos... :-) > > -- > System Administration: It's a dirty job, > but someone told me I had to do it. > ----------------------------------------------------------------- > Martín Marqués email: martin@math.unl.edu.ar > Santa Fe - Argentina http://math.unl.edu.ar/~martin/ > Administrador de sistemas en math.unl.edu.ar > -----------------------------------------------------------------
El Mié 21 Mar 2001 18:49, escribiste: > Hmm... I don't know. Very interesting question. > > But unless you have some fear of someone sniffing the line between your > webserver and the database server, it isn't much of a concern I'd assume. Well, I would say that, if I use ssh and not telnet, I am concerned about sniffers on the net. We had one about 3 years ago. Saludos... ;-) -- System Administration: It's a dirty job, but someone told me I had to do it. ----------------------------------------------------------------- Martín Marqués email: martin@math.unl.edu.ar Santa Fe - Argentina http://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar -----------------------------------------------------------------
There are a couple of things you can do to establish a secure connection between a remote postgres server and any other server. One is using SSH tunnels: http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm Another is to establish your connection with "requiressl=true" as part of the options strings under libpq -- which, since PHP uses libpq, I belive should work under PHP as pg_Connect("host=server dbname=db user=me password=pass requiressl=true") (and if it doesn't work, it should be able to be added easily). I haven't actually done either of these, but I also don't see any reason why these wouldn't work :) Michael Fork - CCNA - MCP - A+ Network Support - Toledo Internet Access - Toledo Ohio On Wed, 21 Mar 2001, Martin A. Marques wrote: > El Mi� 21 Mar 2001 18:33, Adam Lang escribi�: > > Correct, all it does is connect straight to the database. It doesn't have > > anything to involve encryption... it doesn't care. So, you'll probably > > need to secure the path yourself, ie IPSEC. > > > > Someone else may have a better idea, but this is all I can think of. > > Typically though, you shouldn't have PHP connect to a database over a > > connection that is insecure/public. > > > > Any reason this is a concern? > > Well, I thought about this, because I was trying to build something like it. > A web server, and a database server, seperated! So I thought, if Postgres > accepts hostssl connections (if compiled with ssl support), why doesn't PHP > use this powerfull feature? > Would it be difficult to build a pg_connectssl function in PHP that would do > this? > > Saludos... :-) > > -- > System Administration: It's a dirty job, > but someone told me I had to do it. > ----------------------------------------------------------------- > Mart�n Marqu�s email: martin@math.unl.edu.ar > Santa Fe - Argentina http://math.unl.edu.ar/~martin/ > Administrador de sistemas en math.unl.edu.ar > ----------------------------------------------------------------- > ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org
The argument then would probably be, "why is your web app connecting to a database across the public Internet"? I'd assume that is not the safest, nor smartest, thing to do. There are a lot of problems with that setup. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Martin A. Marques" <martin@math.unl.edu.ar> To: <pgsql-php@postgresql.org> Sent: Wednesday, March 21, 2001 4:56 PM Subject: Re: [PHP] php, postgres, ssl > Well, I would say that, if I use ssh and not telnet, I am concerned about > sniffers on the net. We had one about 3 years ago. > > Saludos... ;-)
I agree, something like that would be one of the better solutions. Have a separate layer worrying about the traffic being encrypted and have php and the database talk as if everything is standard. But I am mostly concerned why the PHP app would be connecting across the internet directly to the database. As far as the "requiressl", I have never seen it used with PHP. Maybe it falls under the "options" parameter. Be interesting if someone tried it. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Michael Fork" <mfork@toledolink.com> To: "Adam Lang" <aalang@rutgersinsurance.com> Cc: <pgsql-php@postgresql.org> Sent: Wednesday, March 21, 2001 5:09 PM Subject: Re: [PHP] php, postgres, ssl > There are a couple of things you can do to establish a secure connection > between a remote postgres server and any other server. > > One is using SSH tunnels: > http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm > > Another is to establish your connection with "requiressl=true" as part of > the options strings under libpq -- which, since PHP uses libpq, I belive > should work under PHP as pg_Connect("host=server dbname=db user=me > password=pass requiressl=true") (and if it doesn't work, it should be able > to be added easily). > > I haven't actually done either of these, but I also don't see any reason > why these wouldn't work :) ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
El Jue 22 Mar 2001 10:45, escribiste: > The argument then would probably be, "why is your web app connecting to a > database across the public Internet"? > > I'd assume that is not the safest, nor smartest, thing to do. There are a > lot of problems with that setup. That is soething that we are trying to change, but it is very difficult. Try to convince the politicians on the university that we need a public and private net with firewalls is a hard thing. Some people (not my boss) think that if you get cracked, you don't have to worry, because it's worst. With that kind of thinking, I can't do much. Saludos... :-) -- System Administration: It's a dirty job, but someone told me I had to do it. ----------------------------------------------------------------- Martín Marqués email: martin@math.unl.edu.ar Santa Fe - Argentina http://math.unl.edu.ar/~martin/ Administrador de sistemas en math.unl.edu.ar -----------------------------------------------------------------
Yeah, you guys have serious problems. You are asking to get cracked pretty bad... especially being a university! You guys are prime targets. If you guys must use public internet lines for data transfer. Setup private networks over it using IPSEC. Freeswan is an Open Source IPSEC server. http://www.xs4all.nl/~freeswan/ This way, all traffic is encrypted over the Internet. A LOT safer. Also, then you don't need to worry about ssl for postgres. All traffic going over that tunnel will be safe. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Martin A. Marques" <martin@math.unl.edu.ar> To: <pgsql-php@postgresql.org> Sent: Thursday, March 22, 2001 9:53 AM Subject: Re: [PHP] php, postgres, ssl > El Jue 22 Mar 2001 10:45, escribiste: > > The argument then would probably be, "why is your web app connecting to a > > database across the public Internet"? > > > > I'd assume that is not the safest, nor smartest, thing to do. There are a > > lot of problems with that setup. > > That is soething that we are trying to change, but it is very difficult. Try > to convince the politicians on the university that we need a public and > private net with firewalls is a hard thing. > Some people (not my boss) think that if you get cracked, you don't have to > worry, because it's worst. > With that kind of thinking, I can't do much. > > Saludos... :-) > > -- > System Administration: It's a dirty job, > but someone told me I had to do it. > ----------------------------------------------------------------- > Martín Marqués email: martin@math.unl.edu.ar > Santa Fe - Argentina http://math.unl.edu.ar/~martin/ > Administrador de sistemas en math.unl.edu.ar > ----------------------------------------------------------------- > > ---------------------------(end of broadcast)--------------------------- > TIP 2: you can get off all lists at once with the unregister command > (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
--- Adam Lang <aalang@rutgersinsurance.com> wrote: > Yeah, you guys have serious problems. You are asking to get > cracked pretty > bad... especially being a university! You guys are prime > targets. Agreed. Also, firewalls like Netmax are only $99 and very easy to setup. Why would university staff have a problem with using one? Brent --- Brent R. Matzelle Software Engineer Information Services Main Line Health Systems Tel: 610-240-4566 Pager: 610-640-8437 matzelleb@mlhs.org __________________________________________________ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/
Hell, they can grab a couple old pentium machines, throw in RAM, and make it a project for some Comp Sci students. Use 2.4 kernel and see who can make the best packet filtering rules for the University. :) Extra credit or something. :) Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Brent R. Matzelle" <bmatzelle@yahoo.com> To: <pgsql-php@postgresql.org> Sent: Thursday, March 22, 2001 11:25 AM Subject: [PHP] Re: php, postgres, ssl > --- Adam Lang <aalang@rutgersinsurance.com> wrote: > > Yeah, you guys have serious problems. You are asking to get > > cracked pretty > > bad... especially being a university! You guys are prime > > targets. > > Agreed. Also, firewalls like Netmax are only $99 and very easy > to setup. Why would university staff have a problem with using > one? > > Brent > > --- > Brent R. Matzelle > Software Engineer > Information Services > Main Line Health Systems > Tel: 610-240-4566 > Pager: 610-640-8437 > matzelleb@mlhs.org > > __________________________________________________ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/ > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/users-lounge/docs/faq.html
I agree, something like that would be one of the better solutions. Have a separate layer worrying about the traffic being encrypted and have php and the database talk as if everything is standard. But I am mostly concerned why the PHP app would be connecting across the internet directly to the database. As far as the "requiressl", I have never seen it used with PHP. Maybe it falls under the "options" parameter. Be interesting if someone tried it. Adam Lang Systems Engineer Rutgers Casualty Insurance Company http://www.rutgersinsurance.com ----- Original Message ----- From: "Michael Fork" <mfork@toledolink.com> To: "Adam Lang" <aalang@rutgersinsurance.com> Cc: <pgsql-php@postgresql.org> Sent: Wednesday, March 21, 2001 5:09 PM Subject: Re: [PHP] php, postgres, ssl > There are a couple of things you can do to establish a secure connection > between a remote postgres server and any other server. > > One is using SSH tunnels: > http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm > > Another is to establish your connection with "requiressl=true" as part of > the options strings under libpq -- which, since PHP uses libpq, I belive > should work under PHP as pg_Connect("host=server dbname=db user=me > password=pass requiressl=true") (and if it doesn't work, it should be able > to be added easily). > > I haven't actually done either of these, but I also don't see any reason > why these wouldn't work :) ---------------------------(end of broadcast)--------------------------- TIP 2: you can get off all lists at once with the unregister command (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)
There are a couple of things you can do to establish a secure connection between a remote postgres server and any other server. One is using SSH tunnels: http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm Another is to establish your connection with "requiressl=true" as part of the options strings under libpq -- which, since PHP uses libpq, I belive should work under PHP as pg_Connect("host=server dbname=db user=me password=pass requiressl=true") (and if it doesn't work, it should be able to be added easily). I haven't actually done either of these, but I also don't see any reason why these wouldn't work :) Michael Fork - CCNA - MCP - A+ Network Support - Toledo Internet Access - Toledo Ohio On Wed, 21 Mar 2001, Martin A. Marques wrote: > El Mi� 21 Mar 2001 18:33, Adam Lang escribi�: > > Correct, all it does is connect straight to the database. It doesn't have > > anything to involve encryption... it doesn't care. So, you'll probably > > need to secure the path yourself, ie IPSEC. > > > > Someone else may have a better idea, but this is all I can think of. > > Typically though, you shouldn't have PHP connect to a database over a > > connection that is insecure/public. > > > > Any reason this is a concern? > > Well, I thought about this, because I was trying to build something like it. > A web server, and a database server, seperated! So I thought, if Postgres > accepts hostssl connections (if compiled with ssl support), why doesn't PHP > use this powerfull feature? > Would it be difficult to build a pg_connectssl function in PHP that would do > this? > > Saludos... :-) > > -- > System Administration: It's a dirty job, > but someone told me I had to do it. > ----------------------------------------------------------------- > Mart�n Marqu�s email: martin@math.unl.edu.ar > Santa Fe - Argentina http://math.unl.edu.ar/~martin/ > Administrador de sistemas en math.unl.edu.ar > ----------------------------------------------------------------- > ---------------------------(end of broadcast)--------------------------- TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org