a month ago
Hey
I have launched a MySQL database, and it's provisioned the remote connection, authed with username (root) and password.
Is there a way to create IP restrictions on this remote access as I'd prefer not to have it open to general public. Firewall it basically...
I do need occasional remote access (mysely, using MySQL Workbench for example), but all other apps use the .internal network - but if there was a way to disable remote access entirely, I could work with that and remote in via another Railway container.
OR...
If there is no way for any of the above, I'd like to lock down my MySQL users by hostname (in the actual MySQL user config).
Currently I've had to set the user's hostname restrictions open (%) EVEN when connecting internally. I tried%.internal but got the connection error which indicated the client was:
fd12:374a:603f:xxxxxxxx
whereas I was expecting it to be a *.internal address.
ChatGPT (yup, sorry) seems to think 'fd12...' is an internal IPv6 -- if it is, can I rely on it for internal connections, for example, limiting the hostname to fd12%
And if so, would all of my apps (within the sme project) follow the same fa12 commencement?
Thanks in advance.
4 Replies
a month ago
Hey! I've seen this asked before but currently you are unable to whitelist IP connections to a public database connection.
You are able to disable the public TCP url but not selectively allow access.
What I do is leave it disabled unless I need to connect. You can control access by making a simple admin only API that you secure if you dont need the full suite of features a direct connection provides.
error
Hey! I've seen this asked before but currently you are unable to whitelist IP connections to a public database connection. You are able to disable the public TCP url but not selectively allow access. What I do is leave it disabled unless I need to connect. You can control access by making a simple admin only API that you secure if you dont need the full suite of features a direct connection provides.
a month ago
Thanks for the reply. To disable the public TCP url, do I delete the shortline.proxy... from the Public Networking section, as per the attached screenshot?
Makes sense this will work, but wondering if there's a disable feature instead of delete (thinking disable makes it easier to bring it back up, with the same URL in the future?)
Thanks again
Attachments
rjbathgate
Thanks for the reply. To disable the public TCP url, do I delete the shortline.proxy... from the Public Networking section, as per the attached screenshot?Makes sense this will work, but wondering if there's a disable feature instead of delete (thinking disable makes it easier to bring it back up, with the same URL in the future?)Thanks again
a month ago
Yep! I just have the URL saved and add it back later. During prod I almost never actually connect to the TCP url. I made a simple admin api to do CRUD operations.
a month ago
Hope I was able to answer your questions. Happy to help if you need anything else!
Status changed to Solved brody • 29 days ago