ProxyServer(3)
NAME
DBI::ProxyServer - a server for the DBD::Proxy driver
SYNOPSIS
use DBI::ProxyServer;
DBI::ProxyServer::main(@ARGV);
DESCRIPTION
DBI::Proxy Server is a module for implementing a proxy for the DBI
proxy driver, DBD::Proxy. It allows access to databases over the net-
work if the DBMS does not offer networked operations. But the proxy
server might be usefull for you, even if you have a DBMS with inte-
grated network functionality: It can be used as a DBI proxy in a fire-
walled environment.
DBI::ProxyServer runs as a daemon on the machine with the DBMS or on
the firewall. The client connects to the agent using the DBI driver
DBD::Proxy, thus in the exactly same way than using DBD::mysql,
DBD::mSQL or any other DBI driver.
The agent is implemented as a RPC::PlServer application. Thus you have
access to all the possibilities of this module, in particular encryp-
tion and a similar configuration file. DBI::ProxyServer adds the possi-
bility of query restrictions: You can define a set of queries that a
client may execute and restrict access to those. (Requires a DBI driver
that supports parameter binding.) See "CONFIGURATION FILE".
The provided driver script, dbiproxy(1), may either be used as it is or
used as the basis for a local version modified to meet your needs.
OPTIONS
When calling the DBI::ProxyServer::main() function, you supply an array
of options. (@ARGV, the array of command line options is used, if you
don't.) These options are parsed by the Getopt::Long module. The Prox-
yServer inherits all of RPC::PlServer's and hence Net::Daemon's options
and option handling, in particular the ability to read options from
either the command line or a config file. See RPC::PlServer(3). See
Net::Daemon(3). Available options include
chroot (--chroot=dir)
(UNIX only) After doing a bind(), change root directory to the
given directory by doing a chroot(). This is usefull for security,
but it restricts the environment a lot. For example, you need to
load DBI drivers in the config file or you have to create hard
links to Unix sockets, if your drivers are using them. For example,
with MySQL, a config file might contain the following lines:
my $rootdir = '/var/dbiproxy';
my $unixsockdir = '/tmp';
my $unixsockfile = 'mysql.sock';
foreach $dir ($rootdir, "$rootdir$unixsockdir") {
mkdir 0755, $dir;
}
link("$unixsockdir/$unixsockfile",
"$rootdir$unixsockdir/$unixsockfile");
require DBD::mysql;
{
'chroot' => $rootdir,
...
}
If you don't know chroot(), think of an FTP server where you can
see a certain directory tree only after logging in. See also the
--group and --user options.
clients
An array ref with a list of clients. Clients are hash refs, the
attributes accept (0 for denying access and 1 for permitting) and
mask, a Perl regular expression for the clients IP number or its
host name. See "Access control" below.
configfile (--configfile=file)
Config files are assumed to return a single hash ref that overrides
the arguments of the new method. However, command line arguments in
turn take precedence over the config file. See the "CONFIGURATION
FILE" section below for details on the config file.
debug (--debug)
Turn debugging mode on. Mainly this asserts that logging messages
of level "debug" are created.
facility (--facility=mode)
(UNIX only) Facility to use for "Sys::Syslog (3)". The default is
daemon.
group (--group=gid)
After doing a bind(), change the real and effective GID to the
given. This is usefull, if you want your server to bind to a priv-
ileged port (<1024), but don't want the server to execute as root.
See also the --user option.
GID's can be passed as group names or numeric values.
localaddr (--localaddr=ip)
By default a daemon is listening to any IP number that a machine
has. This attribute allows to restrict the server to the given IP
number.
localport (--localport=port)
This attribute sets the port on which the daemon is listening. It
must be given somehow, as there's no default.
logfile (--logfile=file)
Be default logging messages will be written to the syslog (Unix) or
to the event log (Windows NT). On other operating systems you need
to specify a log file. The special value "STDERR" forces logging to
stderr. See Net::Daemon::Log(3) for details.
mode (--mode=modename)
The server can run in three different modes, depending on the envi-
ronment.
If you are running Perl 5.005 and did compile it for threads, then
the server will create a new thread for each connection. The thread
will execute the server's Run() method and then terminate. This
mode is the default, you can force it with "--mode=threads".
If threads are not available, but you have a working fork(), then
the server will behave similar by creating a new process for each
connection. This mode will be used automatically in the absence of
threads or if you use the "--mode=fork" option.
Finally there's a single-connection mode: If the server has
accepted a connection, he will enter the Run() method. No other
connections are accepted until the Run() method returns (if the
client disconnects). This operation mode is usefull if you have
neither threads nor fork(), for example on the Macintosh. For
debugging purposes you can force this mode with "--mode=single".
pidfile (--pidfile=file)
(UNIX only) If this option is present, a PID file will be created
at the given location.
user (--user=uid)
After doing a bind(), change the real and effective UID to the
given. This is usefull, if you want your server to bind to a priv-
ileged port (<1024), but don't want the server to execute as root.
See also the --group and the --chroot options.
UID's can be passed as group names or numeric values.
version (--version)
Supresses startup of the server; instead the version string will be
printed and the program exits immediately.
CONFIGURATION FILE
The configuration file is just that of RPC::PlServer or Net::Daemon
with some additional attributes in the client list.
The config file is a Perl script. At the top of the file you may
include arbitraty Perl source, for example load drivers at the start
(usefull to enhance performance), prepare a chroot environment and so
on.
The important thing is that you finally return a hash ref of option
name/value pairs. The possible options are listed above.
All possibilities of Net::Daemon and RPC::PlServer apply, in particular
Host and/or User dependent access control
Host and/or User dependent encryption
Changing UID and/or GID after binding to the port
Running in a chroot() environment
Additionally the server offers you query restrictions. Suggest the fol-
lowing client list:
'clients' => [
{ 'mask' => '^admin\.company\.com$',
'accept' => 1,
'users' => [ 'root', 'wwwrun' ],
},
{
'mask' => '^admin\.company\.com$',
'accept' => 1,
'users' => [ 'root', 'wwwrun' ],
'sql' => {
'select' => 'SELECT * FROM foo',
'insert' => 'INSERT INTO foo VALUES (?, ?, ?)'
}
}
then only the users root and wwwrun may connect from admin.company.com,
executing arbitrary queries, but only wwwrun may connect from other
hosts and is restricted to
$sth->prepare("select");
or
$sth->prepare("insert");
which in fact are "SELECT * FROM foo" or "INSERT INTO foo VALUES (?, ?,
?)".
AUTHOR
Copyright (c) 1997 Jochen Wiedmann
Am Eisteich 9
72555 Metzingen
Germany
Email: joe@ispsoft.de
Phone: +49 7123 14881
The DBI::ProxyServer module is free software; you can redistribute it
and/or modify it under the same terms as Perl itself. In particular
permission is granted to Tim Bunce for distributing this as a part of
the DBI.
SEE ALSO
dbiproxy(1), DBD::Proxy(3), DBI(3), RPC::PlServer(3), RPC::PlClient(3),
Net::Daemon(3), Net::Daemon::Log(3), Sys::Syslog(3), Win32::Event-
Log(3), syslog(2)
perl v5.8.0 2002-12-01 DBI::ProxyServer(3)
Man(1) output converted with
man2html