Comments on: Some Reasonable Defaults for MySQL Settings http://www.linux-mag.com/id/7615/ Open Source, Open Standards Fri, 10 May 2013 08:56:11 +0000 hourly 1 http://wordpress.org/?v=3.1 By: bryanoneal http://www.linux-mag.com/id/7615/#comment-7438 bryanoneal Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/7615/#comment-7438 <p>Just as a note, a number of your connection problems disappear if you only allow connections from the local host or specific internal ip ranges. You say, that is fine but I have dozens of application server, a number of dba, replicated servers, reporting mechanisms, etc. This is exactly why I recommend locking down access and running a VPN or unprivileged tunnels from trusted application level servers for ALL connections to your data servers. Intern the application servers are only accessible from the companies IP base (for internal applications) or from your front facing public presentation servers. The only public connections I have available on my servers are 80 & 443 and only on the front facing web servers. My application servers and database servers are hidden behind layers of security on the networking, os, and application level.<br /> For example, I may have a dozen executives, accountants, and some top level sales people looking for live data but they never touch the database directly, instead they run through a reporting application that is on the application level. That application talks to its local host (tunneled) or to the database servers private VPN IP. This level of connection management is simple, provides additional security, and keeps connection management in your hands, not the users. I am not saying you should not mess with an applications connection settings directly if you legitimately have a need to, say increase maximum connections. But if you do then you need to check a number of your resource management settings as well. In addition this is a wounderfull front line approach for a wide number of applications be it MySQL, DB2, TomCat, what ever you may need to protect.</p> <p>Just my two cents. </p> Just as a note, a number of your connection problems disappear if you only allow connections from the local host or specific internal ip ranges. You say, that is fine but I have dozens of application server, a number of dba, replicated servers, reporting mechanisms, etc. This is exactly why I recommend locking down access and running a VPN or unprivileged tunnels from trusted application level servers for ALL connections to your data servers. Intern the application servers are only accessible from the companies IP base (for internal applications) or from your front facing public presentation servers. The only public connections I have available on my servers are 80 & 443 and only on the front facing web servers. My application servers and database servers are hidden behind layers of security on the networking, os, and application level.
For example, I may have a dozen executives, accountants, and some top level sales people looking for live data but they never touch the database directly, instead they run through a reporting application that is on the application level. That application talks to its local host (tunneled) or to the database servers private VPN IP. This level of connection management is simple, provides additional security, and keeps connection management in your hands, not the users. I am not saying you should not mess with an applications connection settings directly if you legitimately have a need to, say increase maximum connections. But if you do then you need to check a number of your resource management settings as well. In addition this is a wounderfull front line approach for a wide number of applications be it MySQL, DB2, TomCat, what ever you may need to protect.

Just my two cents.

]]>