Thanks Massimo. These are the steps and syntax to connect to Amazon's RDS using SSL.
*Step1:* Download Amazons's CA certificate from here: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem and save it into web2py/applications/myapp/private/ssl/rds-combined-ca-bundle.pem *Step2:* Modify your model (db.py) as follows, using your own username, password, endpoint, and DB driver_args = { 'ssl':{ 'ca': 'applications/ads/private/ssl/rds-combined-ca-bundle.pem'} } db_auth = 'mysql://web2py_db_user:mypassw...@xxxxx-cluster-1.cluster-xxxxxus-east-1.rds.amazonaws.com:3306/my_db' db = DAL( db_auth, driver_args = driver_args ) *Step 3 (optional):* To force SSL for this user (web2py_db_user), connect to the RDS server using MySQL Workbench (or any other DB client) and execute the following SQL. For MySQL 5.6 GRANT USAGE ON *.* TO 'web2py_db_user'@'%' REQUIRE SSL; For MySQL 5.7 ALTER USER 'web2py_db_user'@'%' REQUIRE SSL; On Sunday, September 2, 2018 at 12:56:06 PM UTC-5, Massimo Di Pierro wrote: > > For postgresql it has been there for long time: > > postgres://{username}:{password}@{domain}:5432/{dbname}?sslmode=require > > For MySQL it can also be done with current PyDAL. My understanding is that > MySQL requires certificates so you > > 1) you need to install certificates > > 2) on server side in my my.ini: > > require_secure_transport=true > tls_version=TLSv1,TLSv1.1,TLSv1.2 > ssl-ca=*install_path*/ca-cert.pem > ssl-cert=*install_path*/cert.pem > ssl-key=*install_path*/key.pem > > > 3) on web2py side: > > ssl = { 'cert': '*install_path/cert.pem*', > 'key': '*install_path*/key.pem', > 'ca': '*install_path*/ca-cert.pem'} > > DAL('mysql://....', driver_args = {'ssl': ssl}) > > Mind I did not try this. All I am telling you is how to use driver_args to > pass ssl info to the mysqldb.connect( ...., ssl = ...) function. > > On Friday, 31 August 2018 22:07:54 UTC-7, appj...@gmail.com <javascript:> > wrote: >> >> I was curious if the ability to connect securely to a database service >> (without an SSH tunnel) was added to 2.17.1? Thanks. >> >> >> >> On Wednesday, January 31, 2018 at 12:27:01 AM UTC-6, appj...@gmail.com >> wrote: >>> >>> Hi, I wanted to check back to see if there was any update on this. >>> >>> With more and more database solutions moving to hosted DB services (so >>> no SSH tunnels), Web2Py apps do not have the ability to connect to these >>> securely. >>> >>> We are stuck hosting a dedicated machine to server our MySQL and run an >>> SSH server. We'd like to switch to Amazon Aurora for example. >>> >>> >>> On Wednesday, October 11, 2017 at 11:52:02 AM UTC-5, Massimo Di Pierro >>> wrote: >>>> >>>> >>>> >>>> On Saturday, 7 October 2017 01:55:53 UTC-5, appj...@gmail.com wrote: >>>>> >>>>> Thank you Massimo! >>>>> >>>>> There is a great detailed deployment recipe for SSH tunneling to your >>>>> database server from a Heroku app instance (dyno). It works as of this >>>>> post.10/8/17 >>>>> >>>>> https://stackoverflow.com/questions/21575582/ssh-tunneling-from-heroku/46629121#46629121 >>>>> >>>>> There are 2 issues/questions with this though: >>>>> >>>>> 1) So now that I can tunnel in, I have a performance question: Since >>>>> the mysql database server will be making all of its connections to >>>>> localhost is that a single connection rather than multiple? Will I lose >>>>> database read concurrency? If so, will either that or the SSH tunnels be >>>>> a >>>>> bottleneck and severely degrade my database performance? >>>>> >>>> >>>> web2py has connection pooling. Each of connection from the pool will go >>>> through the tunnel, concurrently up to the max number in the pool. >>>> >>>>> >>>>> 2) SSH tends to be flaky and drop connections leaving a broken Web2py >>>>> app instance. Any suggestions on best practices for handling that case? >>>>> >>>> >>>> >>>> No. Sorry. If others have suggestions I would like to hear them. >>>> >>>> >>>>> >>>>> It's too bad DAL doesn't support secure connections. Encrypted >>>>> database connections are pretty standard nowadays and I see there are >>>>> python mysql connectors that do. Has anyone successfully swapped out the >>>>> one that ships with one of those? >>>>> >>>> >>>> It would be easy to add. we will work in it. >>>> >>>> >>>>> >>>>> Cloud deployment is new to me so I really appreciate the help, and I >>>>> love using Web2py so thanks for making it and the ongoing support! >>>>> >>>>> -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
