I was trying to set up Anonaddy docker to use PlanetScale as a serverless MySQL database.
PlanetScale only allows connections using TLS, since such connections are made via the public Internet.
I went through the PlanetScale account and database setup.
Then I checked the instructions for connecting via Laravel, which I understand is the framework used by Anonaddy to interact with the DB.
The instructions say that I need to set the following environment variables:
When I get the Laravel connection string for the actual DB I created on PlanetScale, the same variables are provided, apart from:
MYSQL_ATTR_SSL_CA=/etc/ssl/certs/ca-certificates.crt
The different values depend on the underlying linux distribution, according to the docs.
These variables happen to be the same already in use by the Anonaddy docker image, except for MYSQL_ATTR_SSL_CA.
So I added
MYSQL_ATTR_SSL_CA=/etc/ssl/certs/ca-certificates.crt
to my Anonaddy docker compose file.
When I run the Anonaddy docker container, with APP_DEBUG=true, I see the following logs:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-env: executing...
[cont-init.d] 00-env: exited 0.
[cont-init.d] 00-fix-logs.sh: executing...
[cont-init.d] 00-fix-logs.sh: exited 0.
[cont-init.d] 01-fix-uidgid.sh: executing...
[cont-init.d] 01-fix-uidgid.sh: exited 0.
[cont-init.d] 02-fix-perms.sh: executing...
Fixing perms...
[cont-init.d] 02-fix-perms.sh: exited 0.
[cont-init.d] 10-config.sh: executing...
Setting timezone to Europe/Rome...
Initializing files and folders
Checking database connection...
Waiting 60s for database to be ready...
ERROR: Failed to connect to database on eu-central.connect.psdb.cloud
[cont-init.d] 10-config.sh: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
According to PlanetScale docs the connection via MySQL CLI require the following additional parameters:
mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/ssl/certs/ca-certificates.crt
where the value of --ssl-ca is the same as MYSQL_ATTR_SSL_CA env variable.
It would be great if Anonaddy Docker added support for TLS connections to the MySQL server (not necessarily only for PlanetScale, but for any MySQL server).
Potentially this could be achieved by adding support for the following variable within the image:
SSL_MODE=DISABLED|PREFERRED|REQUIRED|VERIFY_CA|VERIFY_IDENTITY as per https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode
Then the mysql --ssl-ca=xxx --ssl-mode=yyy parameters and MYSQL_ATTR_SSL_CA (for Laravel) can be automatically populated by the init scripts according to SSL_MODE value and using the most appropriate path to the system CA roots.
Having said this, I am not sure whether the actual Anonaddy app can already support TLS connections thanks to Laravel, provided MYSQL_ATTR_SSL_CA is correctly populated, or other changes are needed.
I was trying to set up Anonaddy docker to use PlanetScale as a serverless MySQL database. PlanetScale only allows connections using TLS, since such connections are made via the public Internet. I went through the PlanetScale account and database setup. Then I checked the instructions for connecting via Laravel, which I understand is the framework used by Anonaddy to interact with the DB. The instructions say that I need to set the following environment variables:
When I get the Laravel connection string for the actual DB I created on PlanetScale, the same variables are provided, apart from:
MYSQL_ATTR_SSL_CA=/etc/ssl/certs/ca-certificates.crtThe different values depend on the underlying linux distribution, according to the docs.These variables happen to be the same already in use by the Anonaddy docker image, except for
MYSQL_ATTR_SSL_CA. So I addedMYSQL_ATTR_SSL_CA=/etc/ssl/certs/ca-certificates.crtto my Anonaddy docker compose file. When I run the Anonaddy docker container, withAPP_DEBUG=true, I see the following logs:Browsing through
10-config.shI can see at line 48 https://github.com/anonaddy/docker/blob/f5b38721ac0b4ca9965924cc937bb35a4c9761d6/rootfs/etc/cont-init.d/10-config.sh#L48 the command used to connect to MySQL is:mysql -h ${DB_HOST} -P ${DB_PORT} -u "${DB_USERNAME}" "-p${DB_PASSWORD}"According to PlanetScale docs the connection via MySQL CLI require the following additional parameters:
mysql --ssl-mode=VERIFY_IDENTITY --ssl-ca=/etc/ssl/certs/ca-certificates.crtwhere the value of--ssl-cais the same asMYSQL_ATTR_SSL_CAenv variable.It would be great if Anonaddy Docker added support for TLS connections to the MySQL server (not necessarily only for PlanetScale, but for any MySQL server). Potentially this could be achieved by adding support for the following variable within the image:
SSL_MODE=DISABLED|PREFERRED|REQUIRED|VERIFY_CA|VERIFY_IDENTITYas per https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode Then themysql --ssl-ca=xxx --ssl-mode=yyyparameters andMYSQL_ATTR_SSL_CA(for Laravel) can be automatically populated by the init scripts according toSSL_MODEvalue and using the most appropriate path to the system CA roots.Having said this, I am not sure whether the actual Anonaddy app can already support TLS connections thanks to Laravel, provided
MYSQL_ATTR_SSL_CAis correctly populated, or other changes are needed.