Question How to Secure External Database with SSL?

[Airborne3d]

Server operating system version

Debian 11

Plesk version and microupdate number

18.0.69

Hi guys,

I need help to figure out how this is supposed to be done. I have added an external MariaDB to my plesk server. Everything works great so far.

Now i want to make it secure with a SSL and that is all done on the external database server. But when i add "tls.enable = true;" in panel.ini, plesk stops working because SSL isnt enabled on the local Database server.

Should i go a different route or should i install a ssl on the local database also?
I have read somewhere that it's not recommended with SSL on the local database seens its uses socket for connection.

Someone here must have done this too...
Please a little advice thanks.

 

[Sebahat.hadzhi]

Hello, @Airborne3d . Please check this thread. It is still pretty accurate.

 

[trialotto]

Hi guys,

I need help to figure out how this is supposed to be done. I have added an external MariaDB to my plesk server. Everything works great so far.

Now i want to make it secure with a SSL and that is all done on the external database server. But when i add "tls.enable = true;" in panel.ini, plesk stops working because SSL isnt enabled on the local Database server.

Should i go a different route or should i install a ssl on the local database also?
I have read somewhere that it's not recommended with SSL on the local database seens its uses socket for connection.

Someone here must have done this too...
Please a little advice thanks.

@Airborne3d

First of all, local Plesk databases are run over socket, so TLS / SSL is not necessary at all - do not attempt to install it, since that can or will cause havoc.

Secondly, if you want the external MariaDB server to function as a remote dbase for the (local) Plesk, then it is safe to say : do not attempt!

In essence, the only - proper - way to use external MySQL / MariaDB servers as a dbase backbone for one or more Plesk instances is to set up a HA cluster.

If you are attempting to use an external database server for other purpose, then you add secured (TLS) connections to increase security.

In summary, the TLS / SSL ability or functionality only has value if you use the external database server for purposes not related to Plesk itself.

As a final remark, even if you have an external server with a database server, then you are probably best of by assigning various "tasks" (of various nature) to that external server, since using a single server to host a database server is highly inefficient use of server resources - in the light of the before, a simple Plesk instance could be installed and domains can be hosted (and migrated with ease), with a local (socket) connection to a local database (more secure option).

Only in the case of large hosting deployments, HA (database) clusters are the way to go - otherwise, there is virtually no function for remote databases.

To be honest, I have tested this over and over again, but there is no performance gain or cost gain to be achieved with remote databases, unless has a very specific application that requires it's own database (and that application is not Plesk).

I hope the above helps a bit.

Kind regards....

 

[Airborne3d]

@trialotto

Thank you for the detailed explanations - I've read about this topic and understand there are pros and cons to external database configurations.

My goal is to test this setup myself before making a final decision on whether it's beneficial for my use case. These are test servers, so I'm comfortable experimenting.

To clarify my requirements:
I do NOT want to change the local database configuration or alter Plesk's default settings significantly
I do NOT want to host the PSA database on an external server
I DO want to add an external MariaDB server managed through Plesk for hosting web applications
Since traffic goes outside the server (even on internal networks), I want to secure it with TLS/SSL

The problem I'm facing:
With tls.enable = false: I cannot establish SSL connections to the external database
With tls.enable = true: Plesk's PSA database (local) fails because it doesn't have SSL configured

What puzzles me:
Plesk clearly supports external database functionality - it's built into the Database Servers section. People should logically want SSL when database traffic leaves the server, even on internal networks. Yet this basic security requirement seems incompatible with Plesk's local database operations.


Several users appear to have encountered this same issue, so someone must have found a working solution.
Has anyone successfully configured:
Local PSA database (without SSL)
External database server (with SSL/TLS)
Both managed simultaneously through Plesk?

Any insights would be greatly appreciated.

Best Regards

 

[Kaspar]

Plesk clearly supports external database functionality - it's built into the Database Servers section. People should logically want SSL when database traffic leaves the server, even on internal networks. Yet this basic security requirement seems incompatible with Plesk's local database operations.

Unfortunately secured remote database connections aren't supported if a local database is used for running Plesk. The only scenario in which server secured remote database connections are currently supported is when you run your Plesk installation using a remote database.

The thread @Sebahat.hadzhi linked to in her previous post discuses the same issue.

Hello, @Airborne3d . Please check this thread. It is still pretty accurate.

 

[trialotto]

@Airborne3d

This statement

What puzzles me:
Plesk clearly supports external database functionality - it's built into the Database Servers section. People should logically want SSL when database traffic leaves the server, even on internal networks. Yet this basic security requirement seems incompatible with Plesk's local database operations.

would also puzzle me, if @Kaspar is right.

I have created a "ticket" many many many years ago to request the functionality of SSL secured MySQL connections.

Apparently, this ticket did not result in the functionality that is - apparently - desired by many.

From my own experience, I must admit that it is safe to say that one does not really will use this functionality, for many reasons.

Nevertheless, it is a functionality that should be present ..... and, if I can recall it correctly, it can be "created" with a lot of effort and little efficiency.


By the way, I often emphasize that design infrastructure is important and that one has to start with the basics - think about what is desired, what is possible, what is efficient and, more importantly, what are the alternatives : this a repetitive process of many many steps.

In most cases (and not only with Plesk), one will return - after many iterations of the process - to the basics.

In the light of the above, your statement

I do NOT want to host the PSA database on an external server
I DO want to add an external MariaDB server managed through Plesk for hosting web applications

reveals, at least in my humble opinion, a potential flaw in the design infrastructure that you intend to realize.

You do not want to host the PSA database server externally, but you want to manage hosting web applications via an external database server.

Well, the PSA database server is intended to facilitate web applications efficiently and it would be terribly inefficient to use an external database server.

There is a paradox here, your intended design infrastructure does not seem to be right.


I can only recommend that you use the local database server ......... and that you only deviate from that recommendation when the database is causing considerable overusage of server resources (often memory used by the database server).

In case of aforementioned overusage, then it is always a good idea to launch a second server and move that one domain / subscription that causes overusage to the second server : you only need a simple (cheap and often free) Plesk license in order to do so and enjoy the benefits of Plesk.

This - simple - recommendation is the result of returning to the basics : if you do not need the additional server, then do not use it ...... and if you do need it, then use the additional server to its full potential (as opposed to only using it as a database server).

Stated differently, IF AND ONLY IF you need the second server, then use the safe local connection to the local database server and also use the remaining server resources to serve the (demanding) web applications from the second server.

In addition, if you want to use the first server to serve requests (and, honestly, I do not see a reason why you should want that), then you can simply configure Nginx as a proxy (on the first server) to forward all requests to the second server - this still is not a good design infrastructure, but is much better and a major major improvement in comparison to the design infrastructure that you originally intended to implement (with great difficulty).


I hope the above helps or, at least, gives some food for thought!


Kind regards....

 

[jopple]

Plesk connects to the local database via a socket, so enabling SSL there isn't necessary and can cause issues like you're seeing. If your goal is just to secure the external MariaDB connection, you don't need to enable SSL globally in panel.ini.