dbi::proxyserver(3)
NAME
DBI::ProxyServer - a server for the DBD::Proxy driver
SYNOPSIS
use DBI::ProxyServer; DBI::ProxyServer::main(@ARGV);
DESCRIPTION
DBI::Proxy Server is a module for implementing a proxy for
the DBI proxy driver, DBD::Proxy. It allows access to
databases over the network if the DBMS does not offer net
worked operations. But the proxy server might be usefull
for you, even if you have a DBMS with integrated network
functionality: It can be used as a DBI proxy in a fire
walled environment.
DBI::ProxyServer runs as a daemon on the machine with the
DBMS or on the firewall. The client connects to the agent
using the DBI driver DBD::Proxy, thus in the exactly same
way than using DBD::mysql, DBD::mSQL or any other DBI
driver.
The agent is implemented as a RPC::PlServer application.
Thus you have access to all the possibilities of this mod
ule, in particular encryption and a similar configuration
file. DBI::ProxyServer adds the possibility of query
restrictions: You can define a set of queries that a
client may execute and restrict access to those. (Requires
a DBI driver that supports parameter binding.) See "CON
FIGURATION FILE".
OPTIONS
When calling the DBI::ProxyServer::main() function, you
supply an array of options. (@ARGV, the array of command
line options is used, if you don't.) These options are
parsed by the Getopt::Long module. The ProxyServer inher
its all of RPC::PlServer's and hence Net::Daemon's options
and option handling, in particular the ability to read
options from either the command line or a config file. See
RPC::PlServer(3). See Net::Daemon(3). Available options
include
- chroot (--chroot=dir)
- (UNIX only) After doing a bind(), change root direc
tory to the given directory by doing a chroot(). This is usefull for security, but it restricts the environ
ment a lot. For example, you need to load DBI drivers
in the config file or you have to create hard links to
Unix sockets, if your drivers are using them. For
example, with MySQL, a config file might contain the
following lines:
my $rootdir = '/var/dbiproxy';
my $unixsockdir = '/tmp';
my $unixsockfile = 'mysql.sock';
foreach $dir ($rootdir, "$rootdir$unixsockdir") {mkdir 0755, $dir;}
link("$unixsockdir/$unixsockfile","$rootdir$unixsockdir/$unixsockfile");require DBD::mysql;{'chroot' => $rootdir,
...} - If you don't know chroot(), think of an FTP server
where you can see a certain directory tree only after
logging in. See also the --group and --user options. - clients
- An array ref with a list of clients. Clients are hash
refs, the attributes accept (0 for denying access and
1 for permitting) and mask, a Perl regular expression
for the clients IP number or its host name. See
"Access control" below. - configfile (--configfile=file)
- Config files are assumed to return a single hash ref
that overrides the arguments of the new method. How
ever, command line arguments in turn take precedence
over the config file. See the "CONFIGURATION FILE"
section below for details on the config file. - debug (--debug)
- Turn debugging mode on. Mainly this asserts that log
ging messages of level "debug" are created. - facility (--facility=mode)
- (UNIX only) Facility to use for "Sys::Syslog (3)". The
default is daemon. - group (--group=gid)
- After doing a bind(), change the real and effective
GID to the given. This is usefull, if you want your
server to bind to a privileged port (<1024), but don't
want the server to execute as root. See also the
--user option. - GID's can be passed as group names or numeric values.
- localaddr (--localaddr=ip)
- By default a daemon is listening to any IP number that
a machine has. This attribute allows to restrict the
server to the given IP number. - localport (--localport=port)
- This attribute sets the port on which the daemon is
listening. It must be given somehow, as there's no
default. - logfile (--logfile=file)
- Be default logging messages will be written to the
syslog (Unix) or to the event log (Windows NT). On
other operating systems you need to specify a log
file. The special value "STDERR" forces logging to
stderr. See Net::Daemon::Log(3) for details. - mode (--mode=modename)
- The server can run in three different modes, depending
on the environment. - If you are running Perl 5.005 and did compile it for
threads, then the server will create a new thread for
each connection. The thread will execute the server's
Run() method and then terminate. This mode is the
default, you can force it with "--mode=threads". - If threads are not available, but you have a working
fork(), then the server will behave similar by creat
ing a new process for each connection. This mode will
be used automatically in the absence of threads or if
you use the "--mode=fork" option. - Finally there's a single-connection mode: If the
server has accepted a connection, he will enter the
Run() method. No other connections are accepted until
the Run() method returns (if the client disconnects).
This operation mode is usefull if you have neither
threads nor fork(), for example on the Macintosh. For
debugging purposes you can force this mode with
"--mode=single". - pidfile (--pidfile=file)
- (UNIX only) If this option is present, a PID file will
be created at the given location. - user (--user=uid)
- After doing a bind(), change the real and effective
UID to the given. This is usefull, if you want your
server to bind to a privileged port (<1024), but don't
want the server to execute as root. See also the
--group and the --chroot options. - UID's can be passed as group names or numeric values.
- version (--version)
- Supresses startup of the server; instead the version
string will be printed and the program exits immedi
ately.
CONFIGURATION FILE
The configuration file is just that of RPC::PlServer or
Net::Daemon with some additional attributes in the client
list.
The config file is a Perl script. At the top of the file
you may include arbitraty Perl source, for example load
drivers at the start (usefull to enhance performance),
prepare a chroot environment and so on.
The important thing is that you finally return a hash ref
of option name/value pairs. The possible options are
listed above.
All possibilities of Net::Daemon and RPC::PlServer apply,
in particular
Host and/or User dependent access control
Host and/or User dependent encryption
Changing UID and/or GID after binding to the port
Running in a chroot() environment
- Additionally the server offers you query restrictions.
Suggest the following client list: - 'clients' => [
{ 'mask' => '^admin.company.com$','accept' => 1,
'users' => [ 'root', 'wwwrun' ],},
{'mask' => '^admin.company.com$',
'accept' => 1,
'users' => [ 'root', 'wwwrun' ],
'sql' => {'select' => 'SELECT * FROM foo',
'insert' => 'INSERT INTO foo VALUES (?, ?,?)'
}} - then only the users root and wwwrun may connect from
admin.company.com, executing arbitrary queries, but only
wwwrun may connect from other hosts and is restricted to
$sth->prepare("select");- or
$sth->prepare("insert");- which in fact are "SELECT * FROM foo" or "INSERT INTO foo
VALUES (?, ?, ?)".
AUTHOR
- Copyright (c) 1997 Jochen Wiedmann
- Am Eisteich 9
72555 Metzingen
Germany - Email: joe@ispsoft.de
Phone: +49 7123 14881 - The DBI::ProxyServer module is free software; you can
redistribute it and/or modify it under the same terms as
Perl itself. In particular permission is granted to Tim
Bunce for distributing this as a part of the DBI.