Using amazon RDS with WordPress over SSL

1 Views

I’m migrating our WordPress database to RDS which is also being used by other services in our infrastructure. But I couldn’t find any configuration option for wp-config.php where I could specify that SSL to be used while connecting to the server. This would also need a reference to the certificate authority file provided by Amazon. The app server on which WordPress is currently running, is outside AWS cluster.

The answers I could find were fairly old (I’m using WordPress 4.2 here) and don’t provide much guidance.

Read More

How can I configure WordPress to use Amazon RDS over an SSL connection (specifying the public key)?

Post Views: 1

Related posts

Leave a Reply

2 comments

  1. Had the same question. Thankfully some other folks had proposed a reasonable solution here: https://core.trac.wordpress.org/ticket/28625. End-to-end, here’s what I did to get SSL working:

    1. Add the following to the wordpress wp-includes/wp-db.php file. (except the last 2 lines which are just for insertion point reference)

    //ADDED per https://core.trac.wordpress.org/ticket/28625
// call set_ssl if mysql client flag set and settings available
if ( $client_flags & MYSQL_CLIENT_SSL ) {
    $pack = array( $this->dbh );
    $call_set = false;
    foreach( array( 'MYSQL_SSL_KEY', 'MYSQL_SSL_CERT', 'MYSQL_SSL_CA',
        'MYSQL_SSL_CAPATH', 'MYSQL_SSL_CIPHER' ) as $opt_key ) {
        $pack[] = ( defined( $opt_key ) ) ? constant( $opt_key ) : null;
        $call_set |= defined( $opt_key );
    }
    /* Now if anything was packed - unpack into the function.
    * Note this doesn't check if paths exist, as per the PHP doc
    * at http://www.php.net/manual/en/mysqli.ssl-set.php: "This
    * function always returns TRUE value. If SSL setup is incorrect
    * mysqli_real_connect() will return an error ..."
    */
    if ( $call_set ) { // SSL added here!
        call_user_func_array( 'mysqli_ssl_set', $pack );
    }
}//END ADD - below is the point above which to insert this

if ( WP_DEBUG ) {
    mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );

    2. Customize your wordpress wp-config.php file.

    Add & customize the following lines in your wp-config.php file. You can test these from development/staging as well as production if you have multiple environments.

    define('DB_HOST', 'rds-yourserver-abcdefghi9j.us-west-1.rds.amazonaws.com');
define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);//This activates SSL mode
define('MYSQL_SSL_CA', '/file/path/to/your/aws/rds-combined-ca-bundle.pem');

    Note that there are 5 available MYSQL_SSL* settings you could use in your config, per code in #1 above. My RDS connection works via SSL with just the _CA option.

    3. Sanity test that your connection is encrypted.

    Add a quick test file to show whether the current WordPress connection is using SSL or not. Create a sample file like this one called test.php, and put in your wordpress root or somewhere web accessible. Don’t forget to remove this file when done testing.

    <?php
require( dirname( __FILE__ ) . '/wp-blog-header.php' ); //EDIT THIS PATH SO IT IS CORRECT FOR YOUR test.php file relative to the wp-blog-header.php file
global $wpdb;
$row = $wpdb->get_row( "SHOW STATUS LIKE 'Ssl_cipher'" );
var_dump($row);

/*
If you are connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "AES256-SHA" }

If you are NOT connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "" }

*/
?>

    4. Deploy and test your connection

    Deploy your changes & test.php file to your wordpress installation, and restart your web server as needed. I’m using apache, so I run

    sudo apachectl restart

  2. For anyone one is using Redhat 7 + Apache 2.4 + PHP 7.
    I was facing same issue, so added below two lines into the wp-config.php as mentioned above.

    define(‘MYSQL_CLIENT_FLAGS’, MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT ); // you need this for PHP 7
    define(‘MYSQL_SSL_CA’, ‘/var/www/BaltimoreCyberTrustRoot.crt.pem’);

    However was still not able to connect to DB…

    So called one guy and he asked me to disable the Selinux by running following command:

    setsebool -P httpd_can_network_connect_db 1

    I said, dude, i already disabled SELinux why i need to run this again? He screamed to me: I DON’T KNOW, JUST RUN IT!

    so i did and restarted the httpd, and it worked without changing wp-db.php… dont ask me why as i totally have no idea abpit the logic behind this neither.