Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for MySQL and SSL Connections #7039

Closed
urda opened this issue Jan 15, 2015 · 13 comments
Closed

Support for MySQL and SSL Connections #7039

urda opened this issue Jan 15, 2015 · 13 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone

Comments

@urda
Copy link

urda commented Jan 15, 2015

Feature Request

I'm not seeing any options in Piwik for enabling the MySQL connectors to use SSL. It's very important that we are given the capability of encrypting our connections to database servers, since they may not always be on the same server as Piwik.

@tsteur tsteur added Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Privacy For issues that impact or improve the privacy. labels Jan 19, 2015
@tsteur tsteur added this to the Short term milestone Jan 19, 2015
@urda
Copy link
Author

urda commented Jan 20, 2015

@tsteur Thank you for seeing this and triaging it 😄

@urda
Copy link
Author

urda commented Jan 20, 2015

For reference, projects such as osTicket provide additional config variables as the following:

define('DBSSLCA','/path/to/ca.crt');
define('DBSSLCERT','/path/to/client.crt');
define('DBSSLKEY','/path/to/client.key');

So for example, an Amazon RDS connection will only need to define DBSSLCA in the config for an SSL connection to operate.

@mattab mattab added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. and removed c: Privacy For issues that impact or improve the privacy. labels Feb 27, 2015
@tsteur
Copy link
Member

tsteur commented Jun 29, 2015

Not directly related to resolve this issue but maybe an interesting read: https://www.facebook.com/MySQLatFacebook/posts/10153074619236696

@mattab
Copy link
Member

mattab commented Sep 23, 2016

The pull request @ #8049 is a great start - we have closed it for now as nobody is working on it, but if you are reading this, please consider finish the pull request so we can merge it in Piwik!

@mattab
Copy link
Member

mattab commented Apr 26, 2017

there was a lot of work done for this feature in the pull request here: #10866 - it is only missing the automated tests

@RafalLukawiecki
Copy link

Since this issue has been in the works for over 2 years, does it mean something is blocking it so much that it is unlikely to be implemented soon?

If so, is there a recommended workaround to prevent Piwik from sending database passwords in clear text, without encryption? Many thanks for your time working on this issue and for answering my question.

@cah-andrew-fitzgerald
Copy link

This is a big one for us, and aligns well with the assertion that Security is a top priority at Matomo (https://matomo.org/security/).

I'm currently working around this by copying code over from PR #10866. Unfortunately I was unable to find any documentation on how to create a release locally.

Because of this, I added #12509 (Include instructions for building Matomo from source), which will be nice for anyone else in a similar situation.

@RafalLukawiecki
Copy link

Thank you, @cah-andrewfitzgerald. Please ping me here when you have a version to test and I will try slotting it into our test and deployment release cycle. Good luck!

@Findus23
Copy link
Member

@cah-andrewfitzgerald As this is PHP and there is no compile step, you can just apply the patch from the PR on your existing release.
A nice trick is downloading https://github.com/matomo-org/matomo/pull/10866.patch
and then appling it using the patch utiltiy:
patch -p1 < 10866.patch

@cah-andrew-fitzgerald
Copy link

@RafalLukawiecki I don't believe we're going to have a testable version to contribute back. We're using PR #10866 as is, which works for us, but has not been accepted due to a lack of automated tests.

@Findus23 I understand that there is no compile step, but there is definitely some sort of transformation happening to get from the source code to the distributions which are available from matomo.org/download, but that's a conversation for issue #12509.

@tsteur
Copy link
Member

tsteur commented Jan 25, 2018

Looking at #10866 it seems actually good to merge (without testing) if you can confirm it works.

@cah-andrew-fitzgerald
Copy link

cah-andrew-fitzgerald commented Jan 25, 2018

@tsteur: that would be great!

We're currently running 2.16.1 in a Docker container.
To confirm the PR works, I:

  • downloaded the 2.16.1 release from builds.matomo.org
  • manually copied the PR changes to the local 2.16.1 release
  • updated the dockerfile to point to the local release instead of pulling from builds.matomo.org
  • updated the config in our dockerfile to use the new SSL config options
  • deployed the docker container and successfully connected to an AWS RDS MySQL instance which is configured to only allow SSL connections
  • verified that piwik had no error messages and was able to successfully query the database

@gwaggott (the original PR author might be able to provide some more details/context)

@mattab
Copy link
Member

mattab commented Apr 23, 2018

PRs were merged in #10866 and #12631

SSL Connection is now supported for MySQL 🎉

Thanks @fitzoh and @gwaggott for your help!!

@mattab mattab closed this as completed Apr 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Help wanted Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Projects
None yet
Development

No branches or pull requests

6 participants