Oct
12
2017
--

Google, IBM and others launch an open-source API for keeping tabs on software supply chains

 Thanks to containers and microservices, the way we are building software is changing. But you probably still want to know who built a given container and what’s running in it. To get a handle on this, Google, IBM and others today announced Grafeas, a new joint open-source project that provides users with a standardized way for auditing and governing their software supply chain. Read More

Oct
03
2017
--

Who are you? Google Cloud releases custom identities Beta

 Figuring out who can access services across a platform as varied as Google Cloud can be a challenge for IT administrators. Google has done a lot of the work for you with a set of fairly granular pre-defined roles, but recognizing that canned roles won’t suit everyone’s needs, the company announced a Beta of custom roles today. As the name implies, administrators can define roles… Read More

Oct
03
2017
--

Intel introduces IoT provisioning solution to help install devices automatically

 Chipmaker Intel wants a piece of the growing Internet of Things market and they have developed the Intel Secure Device solution to help companies provision IoT devices in a secure and automated way.
Dipti Vachani, vice president and general manager for the Internet of Things Group at Intel, says we hear that 50 billion IoT devices will be deployed by 2020, but there is a gap between that… Read More

Sep
28
2017
--

BlackBerry, yes BlackBerry, is making a comeback as a software company

 When you think about dead companies walking, BlackBerry was clearly one that came to mind, but under the leadership of CEO John Chen, the company is actually making a comeback as a software company focused on security, and it’s latest quarterly earnings report suggests the pivot is working splendidly. The company reported revenue of $249 million, which shattered analyst’s… Read More

Sep
28
2017
--

Three-year old startup Vera scores huge deal to protect all of GE’s IP

 When Box landed GE as a customer in 2014, it marked a turning point for the cloud content management company, giving them momentum ahead of their IPO. Three years later, Vera, a data rights management startup is getting a similar feeling, announcing GE’s 300,000 employees would be using Vera to protect the company’s intellectual property as it moved through the world. “This… Read More

Sep
27
2017
--

Onfido raises $30M more for its AI-based identity verification technology

 Malicious hackers and security breaches that have exposed personal information of millions of people have pushed the issue of online security into the spotlight, not just for individuals but for organizations that do business with them. Now a company called Onfido, which has built a way to help websites verify people’s identities using a photo-based identity document, a selfie and… Read More

Sep
25
2017
--

Microsoft looks to the cloud to expand its security offerings

 Ignite is Microsoft’s main annual conference for bringing together its enterprise users and IT community. It’s no surprise then that security is one of the main topics at the event, with almost 150 sessions dedicated to the topic. And just as unsurprisingly, Microsoft is also using the event to announce a number of new security features, largely around its Microsoft 365 offerings.… Read More

Sep
24
2017
--

SAP buys customer identity management firm Gigya for $350M

 SAP, the German enterprise software giant, today announced an acquisition to strengthen its hybris e-commerce division. It has acquired Gigya, a firm that helps online properties manage customer identities and profiles. Terms of the deal have not been disclosed officially, but our sources tell us it is for $350 million. This was the same figure that was reported yesterday when the news leaked… Read More

Sep
19
2017
--

ProxySQL Improves MySQL SSL Connections

In this blog post, we’ll look at how ProxySQL improves MySQL SSL connection performance.

When deploying MySQL with SSL, the main concern is that the initial handshake causes significant overhead if you are not using connection pools (i.e., mysqlnd-mux with PHP, mysql.connector.pooling in Python, etc.). Closing and making new connections over and over can greatly impact on your total query response time. A customer and colleague recently educated me that although you can improve SSL encryption/decryption performance with the AES-NI hardware extension on modern Intel processors, the actual overhead when creating SSL connections comes from the handshake when multiple roundtrips between the server and client are needed.

With ProxySQL’s support for SSL on its backend connections and connection pooling, we can have it sit in front of any application, on the same server (illustrated below):

ProxySQL

With this setup, ProxySQL is running on the same server as the application and is connected to MySQL though local socket. MySQL data does not need to go through the TCP stream unsecured.

To quickly verify how this performs, I used a PHP script that simply creates 10k connections in a single thread as fast it can:

<?php
$i = 10000;
$user = 'percona';
$pass = 'percona';
while($i>=0) {
	$mysqli = mysqli_init();
	// Use SSL
	//$link = mysqli_real_connect($mysqli, "192.168.56.110", $user, $pass, "", 3306, "", MYSQL_CLIENT_SSL)
	// No SSL
	//$link = mysqli_real_connect($mysqli, "192.168.56.110", $user, $pass, "", 3306 )
	// OpenVPN
	//$link = mysqli_real_connect($mysqli, "10.8.99.1",      $user, $pass, "", 3306 )
	// ProxySQL
	$link = mysqli_real_connect($mysqli, "localhost",      $user, $pass, "", 6033, "/tmp/proxysql.sock")
		or die(mysqli_connect_error());
	$info = mysqli_get_host_info($mysqli);
	$i--;
	mysqli_close($mysqli);
	unset($mysqli);
}
?>

Direct connection to MySQL, no SSL:

[root@ad ~]# time php php-test.php
real 0m20.417s
user 0m0.201s
sys 0m3.396s

Direct connection to MySQL with SSL:

[root@ad ~]# time php php-test.php
real	1m19.922s
user	0m29.933s
sys	0m9.550s

Direct connection to MySQL, no SSL, with OpenVPN tunnel:

[root@ad ~]# time php php-test.php
real 0m15.161s
user 0m0.493s
sys 0m0.803s

Now, using ProxySQL via the local socket file:

[root@ad ~]# time php php-test.php
real	0m2.791s
user	0m0.402s
sys	0m0.436s

Below is a graph of these numbers:

ProxySQL

As you can see, the difference between SSL and no SSL performance overhead is about 400% – pretty bad for some workloads.

Connections through OpenVPN are also better than MySQL without SSL. While this is interesting, the OpenVPN server needs to be deployed on another server, separate from the MySQL server and application. This approach allows the application servers and MySQL servers (including replica/cluster nodes) to communicate on the same secured network, but creates a single point of failure. Alternatively, deploying OpenVPN on the MySQL server means if you have an additional high availability layer in place and it gets quite complicated when a new master is promoted. In short, OpenVPN adds many additional moving parts.

The beauty with ProxySQL is that you can just run it from all application servers and it works fine if you simply point it to a VIP that directs it to the correct MySQL server (master), or use the replication group feature to identify the authoritative master.

Lastly, it is important to note that these tests were done on CentOS 7.3 with OpenSSL 1.0.1e, Percona Server for MySQL 5.7.19, ProxySQL 1.4.1, PHP 5.4 and OpenVPN 2.4.3.

Happy ProxySQLing!

Sep
19
2017
--

Threat Stack snares $45 million investment as spotlight shines brightly on security

 Threat Stack, the Boston-based security startup that helps companies stay protected in the cloud, reeled in a $45 million investment today. It seems that they are in the right place in the right time as news of the Equifax breach swirls on mainstream media. The round includes a big institutional backer, as fellow Boston firm Fidelity Investments participated through their investment arm,… Read More

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com