Specify SSL for Heroku Database External Connection

I am running a Rails 3.2 application on a cedar stack in Heroku.

I use Amazon RDS for my MySQL database, and I have the correct DATABASE_URL setting in Heroku configurations.

How do I get Heroku to use SSL in my connection with Amazon RDS?

Usually this will be indicated as a value in database.yml, but since Heroku generates database.yml for us, I'm not sure how to manage this parameter.

Thanks!

+6
source share
2 answers

From looking at the entered .yml database (see http://neilmiddleton.com/sharing-databases-between-heroku-applications/ below), you can go to the additional configuration as part of the db url as request parameters.

In theory, this should allow you to configure it as you want, although I have not tried it.

+1
source

You can specify some mysql2 SSL parameters through the DATABASE_URL configuration. They will be added as dynamic database.yml elements that are generated during the Heroku build process, and therefore they will be passed in when mysql2 connections are created.

The only parameter you need to pass for this is sslca (not to be confused with sslcapath ).

1. Download the Amazon RDS CA certificate and add it to your application.

(Edit) Amazon will rotate this certificate in March 2015. Instead, you will need a new file from this page.

curl https://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem > ./config/amazon-rds-ca-cert.pem

2. Add the file to git and reinstall it on Heroku.

3. Change DATABASE_URL to pass sslca :

heroku config:add DATABASE_URL="mysql2://username: password@hostname /dbname?sslca=config/amazon-rds-ca-cert.pem -a <app_id>

The relative path there is important - see below.

What is it! Now that SSL is working for you, you can require that all connections with this user only allow SSL:

 GRANT USAGE ON dbname.* TO 'username'@'%' REQUIRE SSL; 

Troubleshooting

Be sure to pass the relative path to sslca ! Otherwise, rake assets:precompile may fail with an SSL error. If you receive an error message:

 SSL connection error: ASN: bad other signature confirmation 

or even just:

 SSL connection error 

... then, probably, something is wrong as it refers to the CA certificate file.

+12
source

Source: https://habr.com/ru/post/910929/


All Articles