Thread: How to select the source ip address for a connection to the database server

Hi,

I am currently working with PHP5+PGSQL 8.2.13 and i have the following problem to solve and i need your help.

The server hosting PHP+psql client has 1 physical network interfaces with multiple subinterfaces using different IPs.

One of those IP is dedicated to my domain, but it is not servers default IP address since i share the server.

So the problem that i need to solve is how am i going to be able to use-select my domains IP address as source to connect to the remote databases.

Is there any configuration to settle default source IP the client will use?

At the moment all my attempts to connect to the database make use of servers default interface IP as source.

Thanks in advance for your help.

On Wed, 2009-09-02 at 20:23 +0300, dimitris.sakellarios@telesuite.gr
wrote:
> Hi,
>
> I am currently working with PHP5+PGSQL 8.2.13 and i have the following
> problem to solve and i need your help.
>
> The server hosting PHP+psql client has 1 physical network interfaces
> with multiple subinterfaces using different IPs.
>
> One of those IP is dedicated to my domain, but it is not servers
> default IP address since i share the server.
>
> So the problem that i need to solve is how am i going to be able to
> use-select my domains IP address as source to connect to the remote
> databases.
>
> Is there any configuration to settle default source IP the client will
> use?
>
> At the moment all my attempts to connect to the database make use of
> servers default interface IP as source.

Nope, unless you're root you're unlikely to be able to choose the source
address for your connection, and even then it would be tricky.

You probably need to either live with the fact that the people you share
your hosting with might also be able to connect to your database, so if
you are paranoid you might want to make sure it is an SSL connection,
and protect it with a reasonable password.

Or you could shell out some more money for a non-shared server, and then
perhaps you might not need to have the database remote in the first
place.

Cheers,
                    Andrew McMillan.

------------------------------------------------------------------------
http://andrew.mcmillan.net.nz/                     Porirua, New Zealand
Twitter: _karora                                  Phone: +64(272)DEBIAN
                        Beware of Bigfoot!
------------------------------------------------------------------------

On Thu, Sep 3, 2009 at 12:31 PM, Andrew McMillan<andrew@morphoss.com> wrote:
> Nope, unless you're root you're unlikely to be able to choose the source
> address for your connection, and even then it would be tricky.

I don't think you need to be root to select a source address. But
that's not helpful since libpq doesn't support binding to a particular
interface. That would be a useful feature and we should probably add
it to the TODO.

You should note that the source address isn't actually a very secure
way to protect your connections since any other host on that network
could spoof your address.

It sounds like what you're looking for is to control the interface the
packets are routed through. This is separate from the source address
as packets are often routed through multiple hosts along their way.
Routing rules are not something individual applications normally get
involved in. If the connections are being routed through the wrong
interface then you have a global problem, not just with the database
and it requires system-wide configuration changes.

--
greg
http://mit.edu/~gsstark/resume.pdf

Greg and Anrew thanks for your concern on the issue.

Indeed selecting the source interface - ip would be a great option since for
me (but many other) trying to connect to a secure postgresql server over
internet is must accompanied with username + password + ssl but it is one
more L3 criteria.

And also I feel sure that my application will run whatever the server admin
changes.

Pls let me know if any modification in libpq code could help to bind address
or interface alias temporary.

DS
-----Original Message-----
From: gsstark@gmail.com [mailto:gsstark@gmail.com] On Behalf Of Greg Stark
Sent: Thursday, September 03, 2009 3:51 PM
To: Andrew McMillan
Cc: dimitris.sakellarios@telesuite.gr; pgsql-php@postgresql.org
Subject: Re: How to select the source ip address for a connection to the
database server

On Thu, Sep 3, 2009 at 12:31 PM, Andrew McMillan<andrew@morphoss.com> wrote:
> Nope, unless you're root you're unlikely to be able to choose the source
> address for your connection, and even then it would be tricky.

I don't think you need to be root to select a source address. But
that's not helpful since libpq doesn't support binding to a particular
interface. That would be a useful feature and we should probably add
it to the TODO.

You should note that the source address isn't actually a very secure
way to protect your connections since any other host on that network
could spoof your address.

It sounds like what you're looking for is to control the interface the
packets are routed through. This is separate from the source address
as packets are often routed through multiple hosts along their way.
Routing rules are not something individual applications normally get
involved in. If the connections are being routed through the wrong
interface then you have a global problem, not just with the database
and it requires system-wide configuration changes.

--
greg
http://mit.edu/~gsstark/resume.pdf

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4393 (20090904) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4394 (20090904) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

dimitris.sakellarios@telesuite.gr wrote:
>
>   I am currently working with PHP5+PGSQL 8.2.13 and i have the following
> problem to solve and i need your help.
>
>   The server hosting PHP+psql client has 1 physical network interfaces
> with multiple subinterfaces using different IPs.
>
>   One of those IP is dedicated to my domain, but it is not servers
> default IP address since i share the server.
>
>   So the problem that i need to solve is how am i going to be able to
> use-select my domains IP address as source to connect to the remote
> databases.
>
>   Is there any configuration to settle default source IP the client will
> use?
>
>   At the moment all my attempts to connect to the database make use
> of servers default interface IP as source.
>
>   Thanks in advance for your help.

That is the way sockets normally work, the primary address is always
used for outgoing connections. It can not be changed without some low
level programming. It is necessary to bind the socket to the specific IP
address before opening the connection. I have done it with Perl, but not
PHP.

Bob McConnell
N2SPP

Bob hi I would be very interested in giving me some small hint of how you
did that in PERL so I can start from someplace in PHP.

BR.

-----Original Message-----
From: pgsql-php-owner@postgresql.org [mailto:pgsql-php-owner@postgresql.org]
On Behalf Of Bob McConnell
Sent: Sunday, September 06, 2009 3:58 AM
To: dimitris.sakellarios@telesuite.gr
Cc: pgsql-php@postgresql.org
Subject: Re: [PHP] How to select the source ip address for a connection to
the database server

dimitris.sakellarios@telesuite.gr wrote:
>
>   I am currently working with PHP5+PGSQL 8.2.13 and i have the following
> problem to solve and i need your help.
>
>   The server hosting PHP+psql client has 1 physical network interfaces
> with multiple subinterfaces using different IPs.
>
>   One of those IP is dedicated to my domain, but it is not servers
> default IP address since i share the server.
>
>   So the problem that i need to solve is how am i going to be able to
> use-select my domains IP address as source to connect to the remote
> databases.
>
>   Is there any configuration to settle default source IP the client will
> use?
>
>   At the moment all my attempts to connect to the database make use
> of servers default interface IP as source.
>
>   Thanks in advance for your help.

That is the way sockets normally work, the primary address is always
used for outgoing connections. It can not be changed without some low
level programming. It is necessary to bind the socket to the specific IP
address before opening the connection. I have done it with Perl, but not
PHP.

Bob McConnell
N2SPP

--
Sent via pgsql-php mailing list (pgsql-php@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-php

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4398 (20090905) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4398 (20090905) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Dimitris Sakellarios wrote:
> Bob hi I would be very interested in giving me some small hint of how you
> did that in PERL so I can start from someplace in PHP.
>
> BR.

Well, stripping it down to the basics, here is what I used:

-------------8<------------------------------
$port = 23 unless $port;
$them = 'localhost' unless $them;
$AF_INET = 2;
$SOCK_STREAM = 1;

$sockaddr = 'S n a4 x8';

($name,$aliases,$proto) = getprotobyname('tcp');
($name,$aliases,$port) = getservbyname($port,'tcp')
     unless $port =~ /^\d+$/;;
($name,$aliases,$type,$len,$thisaddr) =
    gethostbyname($hostname);
($name,$aliases,$type,$len,$thataddr) = gethostbyname($them);

$this = pack($sockaddr, $AF_INET, 0, $thisaddr);
$that = pack($sockaddr, $AF_INET, $port, $thataddr);

if (socket(S, $AF_INET, $SOCK_STREAM, $proto)) {
     print "socket ok\n";
}
else {
     die $!;
}

if (bind(S, $this)) {
     print "bind ok\n";
}
else {
     die $!;
}

if (connect(S,$that)) {
     print "connect ok\n";
}
else {
     die $!;
}
-------------8<------------------------------

The key is the variable $thisaddr. Put your server's DNS name or IP
address as the parameter for the 'gethostbyname($hostname)' call that
initializes it. That binds the outgoing connection to your IP. In my
test platform I use "gethostbyname('10.3.1.70')", which binds it
directly to one of the three network cards in that computer. The rest is
pretty normal for a socket definition.

But as I said, this is pretty low level. It doesn't use any of the
socket libraries or classes most people favor for Perl coding these
days. If you need more ideas, I located this code again today doing a
Google search on "Perl socket bind connect".

Good luck,

Bob McConnell
N2SPP

On 2009-09-02, dimitris.sakellarios@telesuite.gr <dimitris.sakellarios@telesuite.gr> wrote:
>
>    Hi,
>
>    I am currently=A0working with PHP5+PGSQL 8.2.13 and i have the =20
> following problem to solve and i need your help.
>
>    The server hosting PHP+psql=A0client=A0has 1 physical network =20
> interfaces with multiple=A0subinterfaces using different IPs.
>
>    One of those IP=A0is dedicated to my domain, but it is not servers =20
> default IP address since i share the server.
>
>    So the problem that i need to solve is how am i going to be able to =20
> use-select my domains IP address as source=A0to connect to the remote =20
> databases.
>
>    Is there any configuration to settle default source IP the client will us=
> e?
>
>    At the moment all my attempts to connect to the database=A0make use =20
> of=A0servers default interface IP as source.
>
>    Thanks in advance for your help.

easiest way it probably by setting a routing rule, you need
root/adimnistrator to do this.

On 2009-09-06, Dimitris Sakellarios <dimitris.sakellarios@telesuite.gr> wrote:
>
> That is the way sockets normally work, the primary address is always
> used for outgoing connections. It can not be changed without some low
> level programming. It is necessary to bind the socket to the specific IP
> address before opening the connection. I have done it with Perl, but not
> PHP.
>
> Bob McConnell
> N2SPP
>

basically what you need to do is take the libpq source extend the
conneection-string facility to include
bind-to-port and bind-to-address parameters which bind the outgoing
connection to the named resources and then recompile it and get it
installed on your server

no changes are likely to be needed to PHP