• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Question How to Secure External Database with SSL?

A

Airborne3d

New Pleskian
Server operating system version
Debian 11
Plesk version and microupdate number
18.0.69
Hi guys,

I need help to figure out how this is supposed to be done. I have added an external MariaDB to my plesk server. Everything works great so far.

Now i want to make it secure with a SSL and that is all done on the external database server. But when i add "tls.enable = true;" in panel.ini, plesk stops working because SSL isnt enabled on the local Database server.

Should i go a different route or should i install a ssl on the local database also?
I have read somewhere that it's not recommended with SSL on the local database seens its uses socket for connection.

Someone here must have done this too...
Please a little advice thanks.
 
Airborne3d said:
Hi guys,

I need help to figure out how this is supposed to be done. I have added an external MariaDB to my plesk server. Everything works great so far.

Now i want to make it secure with a SSL and that is all done on the external database server. But when i add "tls.enable = true;" in panel.ini, plesk stops working because SSL isnt enabled on the local Database server.

Should i go a different route or should i install a ssl on the local database also?
I have read somewhere that it's not recommended with SSL on the local database seens its uses socket for connection.

Someone here must have done this too...
Please a little advice thanks.
Click to expand...

@Airborne3d

First of all, local Plesk databases are run over socket, so TLS / SSL is not necessary at all - do not attempt to install it, since that can or will cause havoc.

Secondly, if you want the external MariaDB server to function as a remote dbase for the (local) Plesk, then it is safe to say : do not attempt!

In essence, the only - proper - way to use external MySQL / MariaDB servers as a dbase backbone for one or more Plesk instances is to set up a HA cluster.

If you are attempting to use an external database server for other purpose, then you add secured (TLS) connections to increase security.

In summary, the TLS / SSL ability or functionality only has value if you use the external database server for purposes not related to Plesk itself.

As a final remark, even if you have an external server with a database server, then you are probably best of by assigning various "tasks" (of various nature) to that external server, since using a single server to host a database server is highly inefficient use of server resources - in the light of the before, a simple Plesk instance could be installed and domains can be hosted (and migrated with ease), with a local (socket) connection to a local database (more secure option).

Only in the case of large hosting deployments, HA (database) clusters are the way to go - otherwise, there is virtually no function for remote databases.

To be honest, I have tested this over and over again, but there is no performance gain or cost gain to be achieved with remote databases, unless has a very specific application that requires it's own database (and that application is not Plesk).

I hope the above helps a bit.

Kind regards....
 
@trialotto

Thank you for the detailed explanations - I've read about this topic and understand there are pros and cons to external database configurations.

My goal is to test this setup myself before making a final decision on whether it's beneficial for my use case. These are test servers, so I'm comfortable experimenting.

To clarify my requirements:
I do NOT want to change the local database configuration or alter Plesk's default settings significantly
I do NOT want to host the PSA database on an external server
I DO want to add an external MariaDB server managed through Plesk for hosting web applications
Since traffic goes outside the server (even on internal networks), I want to secure it with TLS/SSL

The problem I'm facing:
With tls.enable = false: I cannot establish SSL connections to the external database
With tls.enable = true: Plesk's PSA database (local) fails because it doesn't have SSL configured

What puzzles me:
Plesk clearly supports external database functionality - it's built into the Database Servers section. People should logically want SSL when database traffic leaves the server, even on internal networks. Yet this basic security requirement seems incompatible with Plesk's local database operations.


Several users appear to have encountered this same issue, so someone must have found a working solution.
Has anyone successfully configured:
Local PSA database (without SSL)
External database server (with SSL/TLS)
Both managed simultaneously through Plesk?

Any insights would be greatly appreciated.

Best Regards
 
You must log in or register to reply here.

Similar threads

UnS3eN
Issue Random temporary Database connection error across all Plesk sites
Replies
7
Views
922
UnS3eN
UnS3eN
M
Question How To Set Up Plesk Root Login via SSH With External SSH Keys
Replies
2
Views
434
MHC_1
M
q-quan
E-mail messages not delivered to external server even when local postoffice is disabled
Replies
4
Views
3K
q-quan
q-quan
C
Resolved Plesk mail SSL certificates invalid, common name problems (websites fine)
Replies
4
Views
808
Chucky_213123
C
W
Question SSL Cert for Mail-Server
Replies
1
Views
772
Kaspar
K
Back
Top