Using amazon RDS with WordPress over SSL

Asked 24/4, 2015 at 14:28 Answered 31/7, 2018 at 12:42

Solved mysql wordpress ssl amazon-web-services rds

I'm migrating our WordPress database to RDS which is also being used by other services in our infrastructure. But I couldn't find any configuration option for wp-config.php where I could specify that SSL to be used while connecting to the server. This would also need a reference to the certificate authority file provided by Amazon. The app server on which WordPress is currently running, is outside AWS cluster.

The answers I could find were fairly old (I'm using WordPress 4.2 here) and don't provide much guidance.

How can I configure WordPress to use Amazon RDS over an SSL connection (specifying the public key)?

Cyprinodont answered 24/4, 2015 at 14:28 Comment(0)

Had the same question. Thankfully some other folks had proposed a reasonable solution here: https://core.trac.wordpress.org/ticket/28625. End-to-end, here's what I did to get SSL working:

1. Add the following to the wordpress wp-includes/wp-db.php file. (except the last 2 lines which are just for insertion point reference)

//ADDED per https://core.trac.wordpress.org/ticket/28625
// call set_ssl if mysql client flag set and settings available
if ( $client_flags & MYSQL_CLIENT_SSL ) {
    $pack = array( $this->dbh );
    $call_set = false;
    foreach( array( 'MYSQL_SSL_KEY', 'MYSQL_SSL_CERT', 'MYSQL_SSL_CA',
        'MYSQL_SSL_CAPATH', 'MYSQL_SSL_CIPHER' ) as $opt_key ) {
        $pack[] = ( defined( $opt_key ) ) ? constant( $opt_key ) : null;
        $call_set |= defined( $opt_key );
    }
    /* Now if anything was packed - unpack into the function.
    * Note this doesn't check if paths exist, as per the PHP doc
    * at http://www.php.net/manual/en/mysqli.ssl-set.php: "This
    * function always returns TRUE value. If SSL setup is incorrect
    * mysqli_real_connect() will return an error ..."
    */
    if ( $call_set ) { // SSL added here!
        call_user_func_array( 'mysqli_ssl_set', $pack );
    }
}//END ADD - below is the point above which to insert this

if ( WP_DEBUG ) {
    mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );

2. Customize your wordpress wp-config.php file.

Add & customize the following lines in your wp-config.php file. You can test these from development/staging as well as production if you have multiple environments.

define('DB_HOST', 'rds-yourserver-abcdefghi9j.us-west-1.rds.amazonaws.com');
define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);//This activates SSL mode
define('MYSQL_SSL_CA', '/file/path/to/your/aws/rds-combined-ca-bundle.pem');

Note that there are 5 available MYSQL_SSL* settings you could use in your config, per code in #1 above. My RDS connection works via SSL with just the _CA option.

3. Sanity test that your connection is encrypted.

Add a quick test file to show whether the current Wordpress connection is using SSL or not. Create a sample file like this one called test.php, and put in your wordpress root or somewhere web accessible. Don't forget to remove this file when done testing.

<?php
require( dirname( __FILE__ ) . '/wp-blog-header.php' ); //EDIT THIS PATH SO IT IS CORRECT FOR YOUR test.php file relative to the wp-blog-header.php file
global $wpdb;
$row = $wpdb->get_row( "SHOW STATUS LIKE 'Ssl_cipher'" );
var_dump($row);

/*
If you are connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "AES256-SHA" }

If you are NOT connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "" }

*/
?>

4. Deploy and test your connection

Deploy your changes & test.php file to your wordpress installation, and restart your web server as needed. I'm using apache, so I run

sudo apachectl restart

Tumultuous answered 1/5, 2015 at 21:43 Comment(3)

This worked perfectly on Microsoft Azure, connecting to Amazon RDS as an alternative to ClearDB. – Perimeter 9/3, 2016 at 11:36

Is the constant MYSQL_CLIENT_SSL or MYSQLI_CLIENT_SSL? I think MYSQLI_CLIENT_SSL is working for me. – Hittel 16/11, 2017 at 17:11

@xpander001 2.5 years ago when I posted, there was no I in the variable name, but I've seen other online references that do mention the I, so likely it's a newer version. – Tumultuous 17/11, 2017 at 3:50

For anyone one is using Redhat 7 + Apache 2.4 + PHP 7. I was facing same issue, so added below two lines into the wp-config.php as mentioned above.

define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT ); // you need this for PHP 7 define('MYSQL_SSL_CA', '/var/www/BaltimoreCyberTrustRoot.crt.pem');

However was still not able to connect to DB...

So called one guy and he asked me to disable the Selinux by running following command:

setsebool -P httpd_can_network_connect_db 1

I said, dude, i already disabled SELinux why i need to run this again? He screamed to me: I DON'T KNOW, JUST RUN IT!

so i did and restarted the httpd, and it worked without changing wp-db.php... dont ask me why as i totally have no idea abpit the logic behind this neither.

Monometallism answered 31/7, 2018 at 12:42 Comment(0)

Recommended topics

Hot tags