英文:
Is it possible to restrict MySQL IP and Port on a Public REST API without affecting its open access to all?
问题
目前我们拥有一个供我们业务当前和未来客户使用的公共API。出于灵活性和使客户系统能够与我们的系统进行接口的目的,我们目前将MySQL数据库的IP和端口设置为通配符访问,以避免遇到受限制的访问问题。
问题是,出于安全考虑,是否可能限制MySQL数据库的服务器IP和端口,使第三方客户无法直接访问,只能通过公共API访问?我的直觉是不行,但我在公共API和公共访问方面没有太多经验。
当API用户向我们的数据库发送查询时,它是通过API主机的IP(我们的服务器)来识别它,还是通过客户计算机的IP?
谢谢!
英文:
We currently have a Public API to be used by our Business' current and future clients. Due to flexibility purposes and capability for our client's systems to interface with ours, we currently have our MySQL Database IP and Port on Wild Card access so as to not encounter any restricted access issues.
Question is, due to security concerns, would it be possible to restrict the MySQL Database's Server IP and Port to not be accessed directly by third party clients but only via the Public API? My instinct says no, but I don't have much experience in the way of Public APIs nor Public Access.
When an API User sends a query on our database, does it identify it via the API Host's IP (our servers?), or via the Client Computer's IP?
Thanks!
答案1
得分: 1
以下是翻译好的部分:
"It's considered a bad security risk to expose MySQL's port directly to external clients. MySQL supports TLS but doesn't enforce it by default. So you're at risk of unauthorized clients invading."
"将MySQL的端口直接暴露给外部客户端被认为是一个不良的安全风险。MySQL支持TLS,但默认情况下不强制使用。因此,您面临未经授权的客户端入侵的风险。"
"For this reason, it's much safer and more recommended to run your own API server, as you mentioned. The API server is the only one allowed to connect to MySQL. Typically network routing is configured to prevent any contact to the database server except from the API server."
"出于这个原因,像您提到的那样运行自己的API服务器要安全得多,也更加推荐。API服务器是唯一允许连接到MySQL的服务器。通常,网络路由会配置为防止除API服务器之外的任何服务器与数据库服务器进行任何联系。"
"MySQL would therefore know nothing about the client's IP address. As far as MySQL is concerned, your API server is the only IP address it knows about."
"因此,MySQL对客户端的IP地址一无所知。在MySQL看来,您的API服务器是它所知道的唯一IP地址。"
"The client IP address would be known by your API server and http server, and if you have load balancers or firewalls, those too."
"客户端的IP地址将被您的API服务器和HTTP服务器所知晓,如果您使用负载均衡器或防火墙,它们也会知道。"
"The "users" associated with your third-party clients aren't necessarily mapped to distinct users in the MySQL authentication system. Actually, it's more typical that the API server uses a single MySQL user to authenticate all clients. Once connected to the database, your code would look up the client's "user" as a further authentication step. In other words, you would store a table in your own database with user credentials, and you would implement code to check passwords and so on. This is distinct from MySQL's own authentication system."
"与您的第三方客户相关联的“用户”不一定映射到MySQL身份验证系统中的不同用户。实际上,更典型的情况是API服务器使用单个MySQL用户对所有客户进行身份验证。连接到数据库后,您的代码将查找客户的“用户”作为进一步的身份验证步骤。换句话说,您将在自己的数据库中存储一个包含用户凭据的表,并实现代码来检查密码等等。这与MySQL自己的身份验证系统不同。"
"Alternatively, you could write your API service to use SAML or Oauth2 or equivalent federated authentication. The API service would still need to authenticate to MySQL, but the client's identity would be provided by the Oauth2 authentication."
"或者,您可以编写您的API服务以使用SAML、Oauth2或等效的联合身份验证。API服务仍然需要进行MySQL身份验证,但客户端的身份将由Oauth2身份验证提供。"
英文:
It's considered a bad security risk to expose MySQL's port directly to external clients. MySQL supports TLS but doesn't enforce it by default. So you're at risk of unauthorized clients invading.
For this reason, it's much safer and more recommended to run your own API server, as you mentioned. The API server is the only one allowed to connect to MySQL. Typically network routing is configured to prevent any contact to the database server except from the API server.
MySQL would therefore know nothing about the client's IP address. As far as MySQL is concerned, your API server is the only IP address it knows about.
The client IP address would be known by your API server and http server, and if you have load balancers or firewalls, those too.
The "users" associated with your third-party clients aren't necessarily mapped to distinct users in the MySQL authentication system. Actually, it's more typical that the API server uses a single MySQL user to authenticate all clients. Once connected to the database, your code would look up the client's "user" as a further authentication step. In other words, you would store a table in your own database with user credentials, and you would implement code to check passwords and so on. This is distinct from MySQL's own authentication system.
Alternatively, you could write your API service to use SAML or Oauth2 or equivalent federated authentication. The API service would still need to authenticate to MySQL, but the client's identity would be provided by the Oauth2 authentication.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论