Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxysql firewall support #144

Open
atimonin opened this issue Mar 24, 2023 · 1 comment
Open

proxysql firewall support #144

atimonin opened this issue Mar 24, 2023 · 1 comment

Comments

@atimonin
Copy link

New feature neeeded for firewall management in proxysql:
https://mydbops.wordpress.com/2020/04/21/building-a-mysql-firewall-with-proxysql/

SUMMARY

At least I need now modules to manage mysql_firewall_whitelist_users and mysql_firewall_whitelist_rules

ISSUE TYPE
  • Feature Idea
    I think this should be a separate module, but maybe it's possible to implement it in proxysql_mysql_users
COMPONENT NAME
ADDITIONAL INFORMATION


      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
      



  

  @markuman





  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
  Member


      

  


  

    

  





      


        


  
    

      
          


I think this should be a separate module, but maybe it's possible to implement it in proxysql_mysql_users




It is impossible to integrate it into proxysql_mysql_users module imo.

I also think it must be result in three new modules. Everything else will be very complicated.


mysql_firewall_whitelist_rules


CREATE TABLE mysql_firewall_whitelist_rules (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    username VARCHAR NOT NULL,
    client_address VARCHAR NOT NULL,
    schemaname VARCHAR NOT NULL,
    flagIN INT NOT NULL DEFAULT 0,
    digest VARCHAR NOT NULL,
    comment VARCHAR NOT NULL,
    PRIMARY KEY (username, client_address, schemaname, flagIN, digest) )


mysql_firewall_whitelist_sqli_fingerprints


CREATE TABLE mysql_firewall_whitelist_sqli_fingerprints (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    fingerprint VARCHAR NOT NULL,
    PRIMARY KEY (fingerprint) )


mysql_firewall_whitelist_users


CREATE TABLE mysql_firewall_whitelist_users (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    username VARCHAR NOT NULL,
    client_address VARCHAR NOT NULL,
    mode VARCHAR CHECK (mode IN ('OFF','DETECTING','PROTECTING')) NOT NULL DEFAULT ('OFF'),
    comment VARCHAR NOT NULL,
    PRIMARY KEY (username, client_address) )




What's your usecase?

I've tried firewalling a nextcloud application in the past. But it's nearly impossible.

This will only work properly if


    

  • Your application consists only very few queries
    • 

  • You've got unit- and integrationtests that 100% covers all needed and available queries, so you've got a realistic chance to collect all necessary queries.

      

    • when you're using an ORM, the change that you reach 100% decreases massively
      • 

    

    • 

  • You got a lot of man-power, time and perseverance.
    • 



@atimonin do you have some time to implement and contribute those modules?

      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    
















  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  




              
No branches or pull requests







    
  




        
      

    

  
      

  

    

      2 participants
    

    

        
          @atimonin 
        
          @markuman