Using amazon RDS with WordPress over SSL
I am migrating our WordPress database to RDS, which is also used by other services in our infrastructure. But I couldn't find a configuration option for wp-config.php
where I could specify that SSL will be used when connecting to the server. This will also require a link to the certificate entitlement file provided by Amazon. The application server that WordPress is currently running is outside the AWS cluster.
The answers I could find were pretty old (I'm using WordPress 4.2 here) and don't provide much guidance.
How can I configure WordPress to use Amazon RDS over an SSL connection (with a public key)?
source to share
There was the same question. Fortunately, some other people have suggested a reasonable solution here: https://core.trac.wordpress.org/ticket/28625 . In the end, here's what I did to get SSL to work:
1. Add the following to your wordpress wp-includes / wp-db.php file. (except for the last two lines, which are for insert reference only)
//ADDED per https://core.trac.wordpress.org/ticket/28625
// call set_ssl if mysql client flag set and settings available
if ( $client_flags & MYSQL_CLIENT_SSL ) {
$pack = array( $this->dbh );
$call_set = false;
foreach( array( 'MYSQL_SSL_KEY', 'MYSQL_SSL_CERT', 'MYSQL_SSL_CA',
'MYSQL_SSL_CAPATH', 'MYSQL_SSL_CIPHER' ) as $opt_key ) {
$pack[] = ( defined( $opt_key ) ) ? constant( $opt_key ) : null;
$call_set |= defined( $opt_key );
}
/* Now if anything was packed - unpack into the function.
* Note this doesn't check if paths exist, as per the PHP doc
* at http://www.php.net/manual/en/mysqli.ssl-set.php: "This
* function always returns TRUE value. If SSL setup is incorrect
* mysqli_real_connect() will return an error ..."
*/
if ( $call_set ) { // SSL added here!
call_user_func_array( 'mysqli_ssl_set', $pack );
}
}//END ADD - below is the point above which to insert this
if ( WP_DEBUG ) {
mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags );
2. Customize the wordpress wp-config.php file.
Add and configure the following lines in your wp-config.php file. You can test them from development / staging as well as production if you have multiple conditions.
define('DB_HOST', 'rds-yourserver-abcdefghi9j.us-west-1.rds.amazonaws.com');
define('MYSQL_CLIENT_FLAGS', MYSQL_CLIENT_SSL);//This activates SSL mode
define('MYSQL_SSL_CA', '/file/path/to/your/aws/rds-combined-ca-bundle.pem');
Note that there are 5 MYSQL_SSL * settings available that you could use in your configuration for the code in # 1 above. My RDS connection works over SSL with the _CA option only.
3. A health check means your connection is encrypted.
Add a quick test file to show if the current Wordpress connection is using SSL or not. Create a sample file like this called test.php and put it in your wordpress root or somewhere accessible website. Remember to delete this file when testing is complete.
<?php
require( dirname( __FILE__ ) . '/wp-blog-header.php' ); //EDIT THIS PATH SO IT IS CORRECT FOR YOUR test.php file relative to the wp-blog-header.php file
global $wpdb;
$row = $wpdb->get_row( "SHOW STATUS LIKE 'Ssl_cipher'" );
var_dump($row);
/*
If you are connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "AES256-SHA" }
If you are NOT connected over SSL this should output something like:
object(stdClass)#116 (2) { ["Variable_name"]=> string(10) "Ssl_cipher" ["Value"]=> string(10) "" }
*/
?>
4. Expand and test the connection
Deploy your changes and test.php file to install Wordpress and restart your webserver if needed. I am using apache, so I am running
sudo apachectl restart
source to share