Hide connection data (especially password)

Wappler General Need Help
1

I use an MS SQL Server connection on my website.
For greater security my client would not want the connection data in App_Data\ServerConnect\modules \Connections\filename.json to be readable because the pages are located on an IIS of a potentially reachable location from outside

I thought of two possibilities, but I can’t handle either:
-Use a DSN system connection on that Windows (but I don’t know how Wappler can interface with that type of connection)
-Ensure that the JSON file has encrypted data in it. I tried to tick the entry “Encrypt” in Database Connection, but then I have this error when I do the test and don’t know how to fix it.

errore_ENCRYPT

Can someone help me? Thank you

2

@Teodor @patrick it’s possible to do that?
(not to allow an attacker to extract data from the json file)

3

Not a 100% solution but

  1. create the settings in the server connect settings under environment.

image

define the env variables in Workflow globals

image
image1173×540 38.2 KB

change the database settings to the ENV variables

image
image754×954 25.7 KB

.json file will then read as pretty useless…

{
  "name": "db",
  "module": "dbconnector",
  "action": "connect",
  "options": {
    "client": "mysql2",
    "connection": {
      "host": "{{$_ENV.host}}",
      "port": "{{$_ENV.port}}",
      "user": "{{$_ENV.user}}",
      "password": "{{$_ENV.password}}",
      "database": "{{$_ENV.database}}"
    }
  }
}

although that still just shifts the issue to config.json I suppose but makes it a bit harder

1 Like
4

I don’t find the screenshot as you indicated in Step 1 (Server Connection Settings)
My situation is:

wappler
wappler767×781 52.6 KB

5

image
image1356×693 55.5 KB

6

Thank you. I’ve made some experiments, but when i do “test” I have an error of this kind.

error1

7

Please double check everything.

It would appear that the $_ENV.user definition is not set properly and hence is not being resolved to the user name.
Check your settings screen, ensure the settings are input for the correct target and ensure the ENV variables are set in the WordFlows/Globals

Obviously don’t show any settings here!

1 Like
8

Sorry, My bad

Test will not work as the ENV variables are only available when the app is running. The test fails but it will work in the live environment.

see this

and this

9

I followed the instructions step by step and did all the tests.
It’s true that the test doesn’t work, but neither does the app.
However I do not think it is the right way for my case: with this procedure the password information would still be visible in config.json

error2

My project will run on an Internet Information Server (in localhost) of a pc, and then shared for access from the outside, protected by a firewall.
The customer is afraid that the login and password information can be discovered and the PC is vulnerable. If possible I would like at least the password information to be encrypted somehow

10

Interested, how does customer think the json file contents can be seen other than via a server hack which would render defences pointless anyway?

1 Like
11

Have you considered using SSH for the connection? Will take a little configuration but definitely the most secure connection method.

12

@Hyperbytes
the customer is paranoid because on that pc there is also a connection to a network disk where there are other company data potentially at risk in case of hacking

13

If placing settings in a json file was a security risk then the entire node server platform would be useless. Only files in the public directory are accessible directly.

2 Likes