将Compute Engine上的PHP代码安全地连接到Cloud SQL [英] Connecting PHP code on Compute Engine to Cloud SQL securely

问题描述

我正在尝试将在计算实例上运行的drupal cms连接到Cloud SQL数据库，但是我尝试的每种组合都失败了.我可以从另一台服务器连接到Cloud SQl，但是我不确定MySQL连接从我的实例到Cloud SQL的路径如何，但还想配置与数据库服务器之间的尽可能安全的连接

I'm trying to connect drupal cms running on a Compute Instance to Cloud SQL database but every combination I try fails. I can connect to Cloud SQl from another server but I'm not sure what path the MySQL connection takes from my instance to Cloud SQL but also want to configure as secure as possible connection to and from the db server

这是我的配置

服务器

• 已分配外部IP地址的Cloud SQL.同时授权 计算实例的外部IP地址&独立服务器的IP 要连接的地址.
• 具有运行apache&的外部IP地址的计算实例php在互联网上成功
• 尝试按照 https://drupal.org的步骤4从Web浏览器配置数据库连接. /documentation/install/run-script 获取在计算实例上运行的drupal代码
• 具有可访问Internet的IP地址的独立服务器

• Cloud SQL with external IP address assigned. Also authorized external IP address of compute instance & Independent Server's IP address to connect.
• Compute Instance with external IP address running apache & php successfully on the internet
• Trying to configure database connection from web browser as per step 4 of https://drupal.org/documentation/install/run-script for drupal code running on compute instance
• Independent Server with internet accessible IP address

用户

• SQL根用户密码已设置并成功用于连接 使用工作台的独立服务器
• 来自主机％2！的Db用户已创建，可以访问drupal数据库，并且可以使用工作台成功从Independent Server连接
• 同一数据库用户将无法从计算实例进行连接

• SQL Root user password set and successfully used to connect from Independent Server using Workbench
• Db User from host % created to access drupal database and can successfully connect from Independent Server using workbench
• Same DB user wont connect from compute instance

网络

• 在计算实例上运行ifconfig仅显示私有IP地址
• 我已经在Google防火墙和实例防火墙上打开3306

我的问题是，如何通过提供dbname，dbusername，dbuserpwd，host(IPAddress)来使计算实例连接到云SQL，以便它完全像工作台一样进行连接，但仍具有尽可能的限制? 问题出在计算实例的配置，使用的连接设置还是cloud sql

My question is how do I get the compute instance to connect to cloud SQL by supplying the dbname, dbusername, dbuserpwd,host(IPAddress) so that it connects exactly like workbench but still have as restricted as possible? Does the issue lie with the configuration of the compute instance, the connection settings used supplied or cloud sql

推荐答案

它看起来像是drupal问题(安装程序丢弃或忽略了主机值)和SELinux保护实施问题(该问题限制了远程数据库连接) CentOS是我使用的来宾操作系统

It looks to be a combination of a drupal issue where the host value is discarded or omitted by the installer and an SELinux protection enforcement issue that restricts remote db connections from CentOS which is the guest OS I was using

在将文件添加到Web根文件夹后，可能还需要使用正确的SELinux标签重新标记文件

There is also may be a need to relabel files with their correct SELinux label after adding them to the web root folder

要解决此问题，请执行以下操作: 自己编辑drupal 7 settings.php以包括mysql连接

To resolve it: Edit the drupal 7 settings.php yourself to include a mysql connection

$databases = array (
  'default' =>
  array (
    'default' =>
    array (
      'database' => 'dbname',
      'username' => 'dbuser',
      'password' => 'dbpassword',
      'host' => 'CloudSQLIPAddress',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);

在运行CentOS的GCE实例中的ssh中，运行以下命令以允许数据库连接断开，我认为此设置不会在服务器重启后继续存在，但我可以满足我的需要

and from ssh inside the GCE instance running CentOS run the command below to allow db connections out, I don't think this setting will survive a server reboot but I can live with it for my needs

 setsebool httpd_can_network_connect_db=1

要重新将SELinux上下文应用于复制的文件，请运行

To reapply SElinux context to copied files run this

restorecon -rv /var/www/html 

这篇关于将Compute Engine上的PHP代码安全地连接到Cloud SQL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！