11_ProxySQL配置之SSL_configuration
备注:文章编写时间201904-201905期间,后续官方在github的更新没有被写入
~
~
SSL Support
一、SSl设置[SSL configuration for backends]
从版本v1.2.0e开始,ProxySQL支持对后端使用SSL连接。尝试在旧版本上配置SSL将会失败。
1、重要提示:
1)仅支持v1.x中的后端SSL。在v2.x之前的版本中,客户端是无法使用SSL连接到ProxySQL的。
2)从v1.4.5开始,由于ProxySQL使用了mariadb-connector-c-2.3.1,所以只支持SSL/TLSv1.0:https://mariadb.com/kb/en/library/mariadb-connector-c-300-release-notes/
3)在ProxySQL v2.x中,使用了mariadb-connector-3.0.2,它支持SSL/TLSv1.0、TLSv1.1和TLSv1.2。这适用于前端和后端连接。
2、启用SSL的准备工作
若要启用SSL连接,需要做如下准备:
1)为要使用SSL的服务器更新mysql_servers.use_ssl中SSL状态值;
2)更新关联的全局变量(仅在ProxySQL v1.x版本中需要,ProxySQL v2.x不需要)
3、为服务器启用SSL设置
如果要使用SSL和非SSL都可以连接到同一服务器,则需要在两个不同的主机组中配置相同的服务器,并定义访问规则。
例如,要在一台服务器上配置SSL:
Admin> SELECT * FROM mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| hostgroup_id | hostname | port | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| 1 | 127.0.0.1 | 21891 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
| 2 | 127.0.0.1 | 21892 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
| 2 | 127.0.0.1 | 21893 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
3 rows in set (0.00 sec)
Admin> UPDATE mysql_servers SET use_ssl=1 WHERE port=21891;
Query OK, 1 row affected (0.00 sec)
Admin> SELECT * FROM mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| hostgroup_id | hostname | port | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| 1 | 127.0.0.1 | 21891 | ONLINE | 1 | 0 | 1000 | 0 | 1 | 0 |
| 2 | 127.0.0.1 | 21892 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
| 2 | 127.0.0.1 | 21893 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
3 rows in set (0.00 sec)
Admin> LOAD MYSQL SERVERS TO RUNTIME;
Query OK, 0 rows affected (0.00 sec)
Admin> SELECT * FROM runtime_mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| hostgroup_id | hostname | port | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| 1 | 127.0.0.1 | 21891 | ONLINE | 1 | 0 | 1000 | 0 | 1 | 0 |
| 2 | 127.0.0.1 | 21892 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
| 2 | 127.0.0.1 | 21893 | ONLINE | 1 | 0 | 1000 | 0 | 0 | 0 |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
3 rows in set (0.00 sec)
在此阶段,在ProxySQL v1.x中,尝试连接到主机127.0.0.1的21891端口还不会使用SSL,因为没有配置密钥和证书。而非SSL连接可以正常的建立。在ProxySQL v2.x中,
如果use_ssl = 1,那么所有新连接都将使用SSL(意味着使用MySQL的内置密钥/证书)。
4、为SSL连接配置密钥和证书:
Admin> SELECT * FROM global_variables WHERE variable_name LIKE 'mysql%ssl%';
+--------------------+----------------+
| variable_name | variable_value |
+--------------------+----------------+
| mysql-ssl_p2s_ca | (null) |
| mysql-ssl_p2s_cert | (null) |
| mysql-ssl_p2s_key | (null) |
+--------------------+----------------+
3 rows in set (0.00 sec)
Admin> SET mysql-ssl_p2s_cert="/home/vagrant/newcerts/client-cert.pem";
Query OK, 1 row affected (0.00 sec)
Admin> SET mysql-ssl_p2s_key="/home/vagrant/newcerts/client-key.pem";
Query OK, 1 row affected (0.00 sec)
Admin> SELECT * FROM global_variables WHERE variable_name LIKE 'mysql%ssl%';
+--------------------+----------------------------------------+
| variable_name | variable_value |
+--------------------+----------------------------------------+
| mysql-ssl_p2s_ca | (null) |
| mysql-ssl_p2s_cert | /home/vagrant/newcerts/client-cert.pem |
| mysql-ssl_p2s_key | /home/vagrant/newcerts/client-key.pem |
+--------------------+----------------------------------------+
3 rows in set (0.01 sec)
Admin> LOAD MYSQL VARIABLES TO RUNTIME;
Query OK, 0 rows affected (0.00 sec)
完成上面的配置后,与主机127.0.0.1的21891端口的所有新连接都将使用SSL。
5、验证
要验证SSL在ProxySQL和MySQL之间是否正常工作,并检查连接到ProxySQL的SSL CIPHER(SSL密钥)是否正常,可以运行 SHOW SESSION STATUS LIKE "Ssl_cipher" 命令,
例如:
mysql -h127.0.0.1 -P6033 -uroot -psecret -e 'SHOW SESSION STATUS LIKE "Ssl_cipher"'
+---------------+----------------------+
| Variable_name | Value |
+---------------+----------------------+
| Ssl_cipher | ECDHE-RSA-AES256-SHA |
+---------------+----------------------+
二、[SSL configuration for frontends]
自2.0起可用,但默认情况下已禁用。
1、配置介绍
要为前端连接启用SSL,需要启用mysql-have_ssl = true。一旦启用此变量,ProxySQL将自动在datadir(/var/lib/proxysql)中生成以下文件:
proxysql-ca.pem
proxysql-cert.pem
proxysql-key.pem
注意:如果您要使用预定义配置,可以使用您自己的文件替换这些文件。
另请注意,更新mysql-have_ssl = true变量并执行LOAD MYSQL VARIABLES TO RUNTIME后,只有新连接才会使用SSL。
要验证SSL是否正常工作并检查MySQL客户端和ProxySQL之间使用的SSL CIPHER(密钥)情况,可以连入ProxySQL并执行 \s 命令。
例如:
mysql -h127.0.0.1 -P6033 -uroot -psecret -e'\s' | grep -P 'SSL|Connection'
SSL: Cipher in use is DHE-RSA-AES256-SHA
Connection: 127.0.0.1 via TCP/IP
2、支持的协议
SSLv2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
3、支持的密钥类型
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
DES-CBC3-SHA
~
~
完毕!