Bug #38564 | Proxy should be able to limit hosts that can connect | ||
---|---|---|---|
Submitted: | 5 Aug 2008 10:26 | ||
Reporter: | Victoria Reznichenko | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Enterprise Monitor: Agent | Severity: | S4 (Feature request) |
Version: | OS: | Any | |
Assigned to: | Assigned Account | CPU Architecture: | Any |
Tags: | windmill |
[5 Aug 2008 10:26]
Victoria Reznichenko
[18 Dec 2008 20:38]
James Day
Partial workarounds for this: 1. Firewall. It shouldn't be possible to even see the server unless your host has permission to access it. If it can be seen, denial of service attacks are possible even without access rights. 2. Non-standard ports. So standard scripted attacks on default ports will fail. Only once those methods have failed to protect the server do the individual user connection and other access rights start to become significant. Not supporting them is a significant problem for those who want good access control.
[18 Feb 2009 22:31]
Mark Matthews
Until such time as the mysql server allows us to pass through originating host information in any way (secure or not), there will always be a limitation that clients connecting through the proxy will appear to be coming from whichever host the proxy is running on (usually localhost), thus making it impossible to use grants that discriminate based on hostname, network, etc. The same issue exists when connections come in via NAT'd subnets, or via Linux HA virtual IPs, etc. While we do want to add allow/deny type security to the proxy, there does become a point of diminishing returns, addressed by and usable today by the workarounds James posted.