Thread: php, postgres, ssl

Is it posible to connect from php to a remote postgres server through a
secure connection?
How?

--
System Administration: It's a dirty job,
but someone told me I had to do it.
-----------------------------------------------------------------
Martín Marqués            email:     martin@math.unl.edu.ar
Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
Administrador de sistemas en math.unl.edu.ar
-----------------------------------------------------------------

I'd assume that would be totally independent of PHP.  You'd probably have to
setup your webserver to connect to the postgres server over an encrypted
line... like using IPSEC or something.  Then have PHP connect as normal...
the IPSEC layer would encrypt all transmissions.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Martin A. Marques" <martin@math.unl.edu.ar>
To: <pgsql-php@postgresql.org>
Sent: Tuesday, March 20, 2001 4:43 PM
Subject: [PHP] php, postgres, ssl


> Is it posible to connect from php to a remote postgres server through a
> secure connection?
> How?
>
> --
> System Administration: It's a dirty job,
> but someone told me I had to do it.
> -----------------------------------------------------------------
> Martín Marqués email: martin@math.unl.edu.ar
> Santa Fe - Argentina http://math.unl.edu.ar/~martin/
> Administrador de sistemas en math.unl.edu.ar
> -----------------------------------------------------------------
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo@postgresql.org so that your
> message can get through to the mailing list cleanly

El Mié 21 Mar 2001 10:46, escribiste:
> I'd assume that would be totally independent of PHP.  You'd probably have
> to setup your webserver to connect to the postgres server over an encrypted
> line... like using IPSEC or something.  Then have PHP connect as normal...
> the IPSEC layer would encrypt all transmissions.

Well, then I'm even more confused.
Lets see if I'm lost, or not.

Browser A conects to Server (Apache with PHP). The page (say index.php) has a
pg_connect("host=hostname dbname=dbname password=dpass"). As far as I can
see, PHP is doing the conection stuff here, and apache has nothing to do with
it.

Any comments?

Saludos... ;-)

--
System Administration: It's a dirty job,
but someone told me I had to do it.
-----------------------------------------------------------------
Martín Marqués            email:     martin@math.unl.edu.ar
Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
Administrador de sistemas en math.unl.edu.ar
-----------------------------------------------------------------

Correct, all it does is connect straight to the database.  It doesn't have
anything to involve encryption... it doesn't care.  So, you'll probably need
to secure the path yourself, ie IPSEC.

Someone else may have a better idea, but this is all I can think of.
Typically though, you shouldn't have PHP connect to a database over a
connection that is insecure/public.

Any reason this is a concern?

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Martin A. Marques" <martin@math.unl.edu.ar>
To: "Adam Lang" <aalang@rutgersinsurance.com>; <pgsql-php@postgresql.org>
Sent: Wednesday, March 21, 2001 3:41 PM
Subject: Re: [PHP] php, postgres, ssl


> El Mié 21 Mar 2001 10:46, escribiste:
> > I'd assume that would be totally independent of PHP.  You'd probably
have
> > to setup your webserver to connect to the postgres server over an
encrypted
> > line... like using IPSEC or something.  Then have PHP connect as
normal...
> > the IPSEC layer would encrypt all transmissions.
>
> Well, then I'm even more confused.
> Lets see if I'm lost, or not.
>
> Browser A conects to Server (Apache with PHP). The page (say index.php)
has a
> pg_connect("host=hostname dbname=dbname password=dpass"). As far as I can
> see, PHP is doing the conection stuff here, and apache has nothing to do
with
> it.
>
> Any comments?
>
> Saludos... ;-)
>
> --
> System Administration: It's a dirty job,
> but someone told me I had to do it.
> -----------------------------------------------------------------
> Martín Marqués email: martin@math.unl.edu.ar
> Santa Fe - Argentina http://math.unl.edu.ar/~martin/
> Administrador de sistemas en math.unl.edu.ar
> -----------------------------------------------------------------

El Mié 21 Mar 2001 18:33, Adam Lang escribió:
> Correct, all it does is connect straight to the database.  It doesn't have
> anything to involve encryption... it doesn't care.  So, you'll probably
> need to secure the path yourself, ie IPSEC.
>
> Someone else may have a better idea, but this is all I can think of.
> Typically though, you shouldn't have PHP connect to a database over a
> connection that is insecure/public.
>
> Any reason this is a concern?

Well, I thought about this, because I was trying to build something like it.
A web server, and a database server, seperated! So I thought, if Postgres
accepts hostssl connections (if compiled with ssl support), why doesn't PHP
use this powerfull feature?
Would it be difficult to build a pg_connectssl function in PHP that would do
this?

Saludos... :-)

--
System Administration: It's a dirty job,
but someone told me I had to do it.
-----------------------------------------------------------------
Martín Marqués            email:     martin@math.unl.edu.ar
Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
Administrador de sistemas en math.unl.edu.ar
-----------------------------------------------------------------

Hmm... I don't know.  Very interesting question.

But unless you have some fear of someone sniffing the line between your
webserver and the database server, it isn't much of a concern I'd assume.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Martin A. Marques" <martin@math.unl.edu.ar>
To: "Adam Lang" <aalang@rutgersinsurance.com>; <pgsql-php@postgresql.org>
Sent: Wednesday, March 21, 2001 4:38 PM
Subject: Re: [PHP] php, postgres, ssl


> El Mié 21 Mar 2001 18:33, Adam Lang escribió:
> > Correct, all it does is connect straight to the database.  It doesn't
have
> > anything to involve encryption... it doesn't care.  So, you'll probably
> > need to secure the path yourself, ie IPSEC.
> >
> > Someone else may have a better idea, but this is all I can think of.
> > Typically though, you shouldn't have PHP connect to a database over a
> > connection that is insecure/public.
> >
> > Any reason this is a concern?
>
> Well, I thought about this, because I was trying to build something like
it.
> A web server, and a database server, seperated! So I thought, if Postgres
> accepts hostssl connections (if compiled with ssl support), why doesn't
PHP
> use this powerfull feature?
> Would it be difficult to build a pg_connectssl function in PHP that would
do
> this?
>
> Saludos... :-)
>
> --
> System Administration: It's a dirty job,
> but someone told me I had to do it.
> -----------------------------------------------------------------
> Martín Marqués email: martin@math.unl.edu.ar
> Santa Fe - Argentina http://math.unl.edu.ar/~martin/
> Administrador de sistemas en math.unl.edu.ar
> -----------------------------------------------------------------

El Mié 21 Mar 2001 18:49, escribiste:
> Hmm... I don't know.  Very interesting question.
>
> But unless you have some fear of someone sniffing the line between your
> webserver and the database server, it isn't much of a concern I'd assume.

Well, I would say that, if I use ssh and not telnet, I am concerned about
sniffers on the net. We had one about 3 years ago.

Saludos... ;-)

--
System Administration: It's a dirty job,
but someone told me I had to do it.
-----------------------------------------------------------------
Martín Marqués            email:     martin@math.unl.edu.ar
Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
Administrador de sistemas en math.unl.edu.ar
-----------------------------------------------------------------

There are a couple of things you can do to establish a secure connection
between a remote postgres server and any other server.

One is using SSH tunnels:
http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm

Another is to establish your connection with "requiressl=true" as part of
the options strings under libpq -- which, since PHP uses libpq, I belive
should work under PHP as pg_Connect("host=server dbname=db user=me
password=pass requiressl=true") (and if it doesn't work, it should be able
to be added easily).

I haven't actually done either of these, but I also don't see any reason
why these wouldn't work :)

Michael Fork - CCNA - MCP - A+
Network Support - Toledo Internet Access - Toledo Ohio

On Wed, 21 Mar 2001, Martin A. Marques wrote:

> El Mi� 21 Mar 2001 18:33, Adam Lang escribi�:
> > Correct, all it does is connect straight to the database.  It doesn't have
> > anything to involve encryption... it doesn't care.  So, you'll probably
> > need to secure the path yourself, ie IPSEC.
> >
> > Someone else may have a better idea, but this is all I can think of.
> > Typically though, you shouldn't have PHP connect to a database over a
> > connection that is insecure/public.
> >
> > Any reason this is a concern?
>
> Well, I thought about this, because I was trying to build something like it.
> A web server, and a database server, seperated! So I thought, if Postgres
> accepts hostssl connections (if compiled with ssl support), why doesn't PHP
> use this powerfull feature?
> Would it be difficult to build a pg_connectssl function in PHP that would do
> this?
>
> Saludos... :-)
>
> --
> System Administration: It's a dirty job,
> but someone told me I had to do it.
> -----------------------------------------------------------------
> Mart�n Marqu�s            email:     martin@math.unl.edu.ar
> Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
> Administrador de sistemas en math.unl.edu.ar
> -----------------------------------------------------------------
>



---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org

The argument then would probably be, "why is your web app connecting to a
database across the public Internet"?

I'd assume that is not the safest, nor smartest, thing to do.  There are a
lot of problems with that setup.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Martin A. Marques" <martin@math.unl.edu.ar>
To: <pgsql-php@postgresql.org>
Sent: Wednesday, March 21, 2001 4:56 PM
Subject: Re: [PHP] php, postgres, ssl


> Well, I would say that, if I use ssh and not telnet, I am concerned about
> sniffers on the net. We had one about 3 years ago.
>
> Saludos... ;-)

I agree, something like that would be one of the better solutions.  Have a
separate layer worrying about the traffic being encrypted and have php and
the database talk as if everything is standard.

But I am mostly concerned why the PHP app would be connecting across the
internet directly to the database.

As far as the "requiressl", I have never seen it used with PHP.  Maybe it
falls under the "options" parameter.  Be interesting if someone tried it.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Michael Fork" <mfork@toledolink.com>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: <pgsql-php@postgresql.org>
Sent: Wednesday, March 21, 2001 5:09 PM
Subject: Re: [PHP] php, postgres, ssl


> There are a couple of things you can do to establish a secure connection
> between a remote postgres server and any other server.
>
> One is using SSH tunnels:
> http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm
>
> Another is to establish your connection with "requiressl=true" as part of
> the options strings under libpq -- which, since PHP uses libpq, I belive
> should work under PHP as pg_Connect("host=server dbname=db user=me
> password=pass requiressl=true") (and if it doesn't work, it should be able
> to be added easily).
>
> I haven't actually done either of these, but I also don't see any reason
> why these wouldn't work :)



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

El Jue 22 Mar 2001 10:45, escribiste:
> The argument then would probably be, "why is your web app connecting to a
> database across the public Internet"?
>
> I'd assume that is not the safest, nor smartest, thing to do.  There are a
> lot of problems with that setup.

That is soething that we are trying to change, but it is very difficult. Try
to convince the politicians on the university that we need a public and
private net with firewalls is a hard thing.
Some people (not my boss) think that if you get cracked, you don't have to
worry, because it's worst.
With that kind of thinking, I can't do much.

Saludos... :-)

--
System Administration: It's a dirty job,
but someone told me I had to do it.
-----------------------------------------------------------------
Martín Marqués            email:     martin@math.unl.edu.ar
Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
Administrador de sistemas en math.unl.edu.ar
-----------------------------------------------------------------

Yeah, you guys have serious problems.  You are asking to get cracked pretty
bad... especially being a university! You guys are prime targets.

If you guys must use public internet lines for data transfer.  Setup private
networks over it using IPSEC.  Freeswan is an Open Source IPSEC server.
http://www.xs4all.nl/~freeswan/
This way, all traffic is encrypted over the Internet.  A LOT safer.  Also,
then you don't need to worry about ssl for postgres.  All traffic going over
that tunnel will be safe.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Martin A. Marques" <martin@math.unl.edu.ar>
To: <pgsql-php@postgresql.org>
Sent: Thursday, March 22, 2001 9:53 AM
Subject: Re: [PHP] php, postgres, ssl


> El Jue 22 Mar 2001 10:45, escribiste:
> > The argument then would probably be, "why is your web app connecting to
a
> > database across the public Internet"?
> >
> > I'd assume that is not the safest, nor smartest, thing to do.  There are
a
> > lot of problems with that setup.
>
> That is soething that we are trying to change, but it is very difficult.
Try
> to convince the politicians on the university that we need a public and
> private net with firewalls is a hard thing.
> Some people (not my boss) think that if you get cracked, you don't have to
> worry, because it's worst.
> With that kind of thinking, I can't do much.
>
> Saludos... :-)
>
> --
> System Administration: It's a dirty job,
> but someone told me I had to do it.
> -----------------------------------------------------------------
> Martín Marqués email: martin@math.unl.edu.ar
> Santa Fe - Argentina http://math.unl.edu.ar/~martin/
> Administrador de sistemas en math.unl.edu.ar
> -----------------------------------------------------------------
>
> ---------------------------(end of broadcast)---------------------------
> TIP 2: you can get off all lists at once with the unregister command
>     (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

--- Adam Lang <aalang@rutgersinsurance.com> wrote:
> Yeah, you guys have serious problems.  You are asking to get
> cracked pretty
> bad... especially being a university! You guys are prime
> targets.

Agreed.  Also, firewalls like Netmax are only $99 and very easy
to setup.  Why would university staff have a problem with using
one?

Brent

---
Brent R. Matzelle
Software Engineer
Information Services
Main Line Health Systems
Tel: 610-240-4566
Pager: 610-640-8437
matzelleb@mlhs.org

__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/

Hell, they can grab a couple old pentium machines, throw in RAM, and make it
a project for some Comp Sci students.  Use 2.4 kernel and see who can make
the best packet filtering rules for the University. :)  Extra credit or
something. :)

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Brent R. Matzelle" <bmatzelle@yahoo.com>
To: <pgsql-php@postgresql.org>
Sent: Thursday, March 22, 2001 11:25 AM
Subject: [PHP] Re: php, postgres, ssl


> --- Adam Lang <aalang@rutgersinsurance.com> wrote:
> > Yeah, you guys have serious problems.  You are asking to get
> > cracked pretty
> > bad... especially being a university! You guys are prime
> > targets.
>
> Agreed.  Also, firewalls like Netmax are only $99 and very easy
> to setup.  Why would university staff have a problem with using
> one?
>
> Brent
>
> ---
> Brent R. Matzelle
> Software Engineer
> Information Services
> Main Line Health Systems
> Tel: 610-240-4566
> Pager: 610-640-8437
> matzelleb@mlhs.org
>
> __________________________________________________
> Do You Yahoo!?
> Get email at your own domain with Yahoo! Mail.
> http://personal.mail.yahoo.com/
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html

I agree, something like that would be one of the better solutions.  Have a
separate layer worrying about the traffic being encrypted and have php and
the database talk as if everything is standard.

But I am mostly concerned why the PHP app would be connecting across the
internet directly to the database.

As far as the "requiressl", I have never seen it used with PHP.  Maybe it
falls under the "options" parameter.  Be interesting if someone tried it.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Michael Fork" <mfork@toledolink.com>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: <pgsql-php@postgresql.org>
Sent: Wednesday, March 21, 2001 5:09 PM
Subject: Re: [PHP] php, postgres, ssl


> There are a couple of things you can do to establish a secure connection
> between a remote postgres server and any other server.
>
> One is using SSH tunnels:
> http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm
>
> Another is to establish your connection with "requiressl=true" as part of
> the options strings under libpq -- which, since PHP uses libpq, I belive
> should work under PHP as pg_Connect("host=server dbname=db user=me
> password=pass requiressl=true") (and if it doesn't work, it should be able
> to be added easily).
>
> I haven't actually done either of these, but I also don't see any reason
> why these wouldn't work :)



---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
    (send "unregister YourEmailAddressHere" to majordomo@postgresql.org)

There are a couple of things you can do to establish a secure connection
between a remote postgres server and any other server.

One is using SSH tunnels:
http://www.postgresql.org/users-lounge/docs/7.0/admin/security1530.htm

Another is to establish your connection with "requiressl=true" as part of
the options strings under libpq -- which, since PHP uses libpq, I belive
should work under PHP as pg_Connect("host=server dbname=db user=me
password=pass requiressl=true") (and if it doesn't work, it should be able
to be added easily).

I haven't actually done either of these, but I also don't see any reason
why these wouldn't work :)

Michael Fork - CCNA - MCP - A+
Network Support - Toledo Internet Access - Toledo Ohio

On Wed, 21 Mar 2001, Martin A. Marques wrote:

> El Mi� 21 Mar 2001 18:33, Adam Lang escribi�:
> > Correct, all it does is connect straight to the database.  It doesn't have
> > anything to involve encryption... it doesn't care.  So, you'll probably
> > need to secure the path yourself, ie IPSEC.
> >
> > Someone else may have a better idea, but this is all I can think of.
> > Typically though, you shouldn't have PHP connect to a database over a
> > connection that is insecure/public.
> >
> > Any reason this is a concern?
>
> Well, I thought about this, because I was trying to build something like it.
> A web server, and a database server, seperated! So I thought, if Postgres
> accepts hostssl connections (if compiled with ssl support), why doesn't PHP
> use this powerfull feature?
> Would it be difficult to build a pg_connectssl function in PHP that would do
> this?
>
> Saludos... :-)
>
> --
> System Administration: It's a dirty job,
> but someone told me I had to do it.
> -----------------------------------------------------------------
> Mart�n Marqu�s            email:     martin@math.unl.edu.ar
> Santa Fe - Argentina        http://math.unl.edu.ar/~martin/
> Administrador de sistemas en math.unl.edu.ar
> -----------------------------------------------------------------
>



---------------------------(end of broadcast)---------------------------
TIP 1: subscribe and unsubscribe commands go to majordomo@postgresql.org