What is:

  • 1 MySQL server in server rack
  • Dynamic number of clients (50-150 computers, some are turned on, some are turned off), which should work with this database. Clients are geographically distributed, but have a stable connection to the Internet. Some clients work in 1 request mode in 5-10 seconds, others generate 20-30 requests per second around the clock.

The question itself: how to organize connection of clients to the database?

Already considered, but there were questions:

  • API interlayer (not suitable due to too much alteration of the client architecture + additional server in the rack)
  • Set MySQL "booty" on the Internet (the entire Internet is replete with what is not safe, what exactly they don’t say except brute force)
  • SSH tunnel (no personal experience checking it for stability and autossh reconnects)
  • VPN (no personal experience checking it for stability)
  • may still have something ...
  • But is it possible to provide more stable IP clients? It would be possible to put it outside, but close the firewall. - Mike
  • Nope, dynamic IPs, and maybe a reshuffle of the client machine - CyberPulse

1 answer 1

I think that the only correct option is to organize a tunnel between clients and the database using an isolated VPN channel. If you choose a stable software and configure it correctly, everything will work stably.
API - Sparrow Gun
MySQL out is not safe at all
SSH - Crutch

Although, if the exact IP clients are known, you can set MySQL to the outside, but only give access to the necessary addresses.

  • IP clients will be behind natami with dynamic IPs. And what is the stable software for VPN? What exactly is not MySQL security out? And why SSH is a crutch, my project works like this, och is stable, there are only 4 clients and the number of requests to the database is less ... - CyberPulse
  • @CyberPulse coochackers constantly scan ports open to the outside. Often, all sorts of rdp and mysql are found even on alternative ports, and then they launch brute-force. SSH needs to be controlled, besides, it is data exchange on one protocol inside another. Software for VPN depends on the used OS. You can even deploy on routers, and not on servers. - ilyaplot
  • Well, on my server, and so open ssh, which, judging by the logs, never fails to brute-force anything, they have never picked up passwords to any server (fail2ban saves the situation a bit). I know how to raise vpn, I just don’t know how it will behave on many small connections - CyberPulse