欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

MySQL配置SSL主从复制

程序员文章站 2022-06-25 08:14:15
mysql5.6 创建ssl文件方法 官方文档: create clean environment mkdir /home/mysql/mysqlcerts && c...

mysql5.6 创建ssl文件方法

官方文档:

create clean environment

mkdir /home/mysql/mysqlcerts && cd /home/mysql/mysqlcerts

create ca certificate

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

create server certificate, remove passphrase, and sign it

server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -ca ca.pem -cakey ca-key.pem -set_serial 01 -out server-cert.pem

create client certificate, remove passphrase, and sign it

client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600  -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -ca ca.pem -cakey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -cafile ca.pem server-cert.pem client-cert.pem
server-cert.pem: ok
client-cert.pem: ok

mysql5.7 创建ssl文件方法

官方文档:

mkdir -p  /home/mysql/mysqlcerts
/usr/local/mysql-5.7.21-linux-glibc2.12-x86_64/bin/mysql_ssl_rsa_setup  --datadir=/home/mysql/mysqlcerts/

主库创建ssl后进行配置

从库 192.168.1.222

mkdir -p  /home/mysql/mysqlcerts

主库

chown -r mysql.mysql  /home/mysql/mysqlcerts/
scp ca.pem client-cert.pem client-key.pem root@192.168.1.222:/home/mysql/mysqlcerts/

主库授权

grant replication slave on *.* to identified by '' require ssl;

主库 my.cnf

#ssl
ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert=/home/mysql/mysqlcerts/server-cert.pem
ssl-key=/home/mysql/mysqlcerts/server-key.pem

restart mysql

从库

chown -r mysql.mysql  /home/mysql/mysqlcerts/

my.cnf

ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert= /home/mysql/mysqlcerts/client-cert.pem
ssl-key= /home/mysql/mysqlcerts/client-key.pem

创建复制:

change master to master_host='',master_user='',master_password='',master_log_file='mysql-bin.000001',master_log_pos=154,   master_ssl=1, master_ssl_ca='/home/mysql/mysqlcerts/ca.pem', master_ssl_cert='/home/mysql/mysqlcerts/client-cert.pem',  master_ssl_key='/home/mysql/mysqlcerts/client-key.pem' ,master_connect_retry=10;

验证:
主库配置ssl认证后,客户端默认以ssl方式登录

mysql -utest -h192.168.1.223 -ptest -p3307  

(该账号不论是否配置require ssl 均能登录)

不以ssl方式登录命令为:

mysql -utest -h192.168.1.223 -ptest -p3307 --ssl-mode=disabled   

(如该账号配置了require ssl 则无法登录)

上一篇: SQL Server数据库漏洞评估了解一下

下一篇: MySQL数据库之索引

推荐阅读