The app should be able to connect to MySQL over TLS/SSL
User Story
There are several ways to implement a web application such as Xibo. In my particular setup, I already have MySQL infrastructure, and a cloud that can handle web applications. But Xibo is not setup to communicate with MySQL securely.
Additionally, you are unable to destroy the container and recreate it unless SQL is external. Otherwise, when you destroy the container, the data is gone.
In order to properly run the SQL server outside of the container, Xibo needs to be able to communicate with SQL over TLS/SSL. Otherwise, the only truly secure way to lock down Xibo is to either run SQL on the container itself, or to completely lock down the network it connects through.
I know this was suggested before, but I want to re-open the suggestion. Having SQL communicate securely should be a top priority to enhance the security of Xibo.
That isn’t the case. With our docker-compose files, data is preserved correctly.
Which is exactly what we do. We run a MySQL server on its own private network which only the CMS has access to, and where all communications are local so no TLS is required.
I will log an issue to investigate extra options for a secure connection, however, our supported and preferred method is using the suggested setup and so this is not a high priority for us.
We run a MySQL server on its own private network which only the CMS has access to, and where all communications are local so no TLS is required.
Right, but that forces deployment to fit into just your method of deployment. There are way more ways to deploy this application than just docker, as acknowledged by your documentation (CMS Installation), even if they aren’t ‘officially’ supported. But without network isolation, those installations will be insecure.
It seems silly to even allow connections to an external SQL database if you can’t support secure connections…