community.proxysql icon indicating copy to clipboard operation
community.proxysql copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

proxysql firewall support

Open atimonin opened this issue 2 years ago • 1 comments

New feature neeeded for firewall management in proxysql: https://mydbops.wordpress.com/2020/04/21/building-a-mysql-firewall-with-proxysql/

SUMMARY

At least I need now modules to manage mysql_firewall_whitelist_users and mysql_firewall_whitelist_rules

ISSUE TYPE
  • Feature Idea I think this should be a separate module, but maybe it's possible to implement it in proxysql_mysql_users
COMPONENT NAME
ADDITIONAL INFORMATION

atimonin avatar Mar 24 '23 10:03 atimonin

I think this should be a separate module, but maybe it's possible to implement it in proxysql_mysql_users

It is impossible to integrate it into proxysql_mysql_users module imo.
I also think it must be result in three new modules. Everything else will be very complicated.

mysql_firewall_whitelist_rules

CREATE TABLE mysql_firewall_whitelist_rules (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    username VARCHAR NOT NULL,
    client_address VARCHAR NOT NULL,
    schemaname VARCHAR NOT NULL,
    flagIN INT NOT NULL DEFAULT 0,
    digest VARCHAR NOT NULL,
    comment VARCHAR NOT NULL,
    PRIMARY KEY (username, client_address, schemaname, flagIN, digest) )

mysql_firewall_whitelist_sqli_fingerprints

CREATE TABLE mysql_firewall_whitelist_sqli_fingerprints (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    fingerprint VARCHAR NOT NULL,
    PRIMARY KEY (fingerprint) )

mysql_firewall_whitelist_users

CREATE TABLE mysql_firewall_whitelist_users (
    active INT CHECK (active IN (0,1)) NOT NULL DEFAULT 1,
    username VARCHAR NOT NULL,
    client_address VARCHAR NOT NULL,
    mode VARCHAR CHECK (mode IN ('OFF','DETECTING','PROTECTING')) NOT NULL DEFAULT ('OFF'),
    comment VARCHAR NOT NULL,
    PRIMARY KEY (username, client_address) )

What's your usecase?
I've tried firewalling a nextcloud application in the past. But it's nearly impossible.
This will only work properly if

  • Your application consists only very few queries
  • You've got unit- and integrationtests that 100% covers all needed and available queries, so you've got a realistic chance to collect all necessary queries.
    • when you're using an ORM, the change that you reach 100% decreases massively
  • You got a lot of man-power, time and perseverance.

@atimonin do you have some time to implement and contribute those modules?

markuman avatar Mar 24 '23 19:03 markuman