當mysql跨越互連網進行複製時別人可以竊取到mysql的複製資訊,這些資訊是明文的,因此存在不安全性,這裡通過ssl對複製的資訊進行加密。當在客戶沒有固定ip而要訪問伺服器時,mysql要允許任意地址的訪問,服務端和用戶端通過認證驗證可以防止暴力破解。
開始之前讓我們先來回顧一下SSL協議用戶端OpenSSL的安裝過程:
安裝openssl
mkdir /test/setupcd /test/setuptar zxvf openssl-0.9.8b.tar.gzcd openssl-0.9.8b./configmake && make install
開啟mysql中ssl功能
登入Mysql查看
mysql> show variables like '%ssl%';
+---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+----------+
如果mysql輸出如上所述,那麼繼續操作開啟ssl;如果不是,重新編譯安裝mysql,注意產生makefile時填寫參數正確。
退出mysql,編輯/etc/my.cnf
在[mysqld]和[mysqldump]之間,加入下列配置資訊:
ssl
儲存後重新啟動mysql,再次登入mysql
mysql -uroot -pmysql> show variables like '%ssl%';
+---------------+-------+ | Variable_name | Value | +---------------+-------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+-------+
好了,下面進入正題:
mysql基於ssl複製
1、建立認證中心
在主伺服器上建立認證中心
cd /etc/pki/CA
產生私密金鑰
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
產生自簽認證,由於需要輸入大量使用者資訊,因此編輯認證的設定檔,在私人的CA上建立認證要注意所有的使用者資訊要和CA中的一致,從國家到部門都要相同,否則會造成認證無法使用
vim /etc/pki/tls/openssh.cnf
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrpovinceName_default = FJ localityName = Locality Name (eg,city) localityName = FZ O.organizationName = Organization Name (eg,company) O.organizationName_default = zdz organizationalUnitName = Organizational Unit Name (eg,section) organizationalUnitName_default = zdz
產生自簽認證
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
-x509是建立自簽認證是需要的參數,在建立其他認證時不能加該參數
由於是自簽認證因此要修改憑證路徑
vim /etc/pki/tls/openssl.cnf
[ CA_defalut ] dir = /etc/pki/CA certs = $dir/certs #存放產生認證的目錄 crl_dir = $dir/crl #存放吊銷認證的目錄 database = $dir/index.txt #認證的索引檔案 new_certs_dir = $dir_newcerts #新簽的認證目錄 serial = $dir/serial #序號 crl = $dir/crl.pem private_key = $dir/private/cakey.pem #認證中心私密金鑰檔案
建立認證編號
mkdir certs crl newcerts touch index.txt echo 00 > serial
2、為主伺服器建立認證
伺服器的名稱必須固定,在申請認證時要輸入伺服器名稱,認證和伺服器名稱對應
建立私密金鑰
mkdir /usr/local/mysql/ssl cd /usr/local/mysql/ssl (umask 077;openssl genrsa -out /usr/local/mysql/ssl/master.key 2048)
產生認證申請
openssl req -new -key master.key -out master.csr
在認證伺服器上對master的認證進行簽發
openssl ca -in master.csr -out master.crt -days 365
3、建立從伺服器憑證
(umask 077;openssl genrsa -out /usr/local/mysql/ssl/slave.key 2048) openssl req -new -key slave.key -out slave.csr
將從伺服器的認證申請檔案複製到認證伺服器上進行簽發
opessl ca -in slave.csr -out slave.crt -days 356
4、修改認證許可權和mysql設定檔
將認證的公開金鑰cacert.pem複製到主從伺服器的目錄下
cd /usr/local/mysql/ssl cp /etc/pki/CA/cacert.pem ./ chown -R mysql:mysql master.crt master.key cacert.pem chmod 600 master.crt master.key cacert.pem vim /usr/local/mysql/my.cnf ssl ssl_ca = /usr/local/mysql/ssl/cacrt.pem ssl_cert = /usr/local/mysql/ssl/master.crt ssl_key = /usr/local/mysql/ssl/master.key
修改從伺服器配置
cd /usr/local/mysql/ssl cp /etc/pki/CA/cacert.pem ./ chown -R mysql:mysql slave.crt slave.key cacert.pem chmod 600 slave.crt slave.key cacert.pem vim /usr/local/mysql/my.cnf ssl ssl_ca = /usr/local/mysql/ssl/cacrt.pem ssl_cert = /usr/local/mysql/ssl/slave.crt ssl_key = /usr/local/mysql/ssl/slave.key
5、在主伺服器上建立複製使用者
grant replication slave on *.* to slave@'192.168.216.133' identified by 'slave' requere ssl; flush privileges;
查看主伺服器當前二進位位置
mysql> show master status ;
+-------------------------+------------+---------------------+--------------------------+--------------------------+ | File | Position | Binlog_Do_DB | Binlog_Ignore_DB | Executed_Gtid_Set | +-------------------------+------------+---------------------+--------------------------+--------------------------+ | mysql-bin.000007 | 1015 | | | | +-------------------------+------------+---------------------+--------------------------+---------------------------+ 1 row in set (0.00 sec)
6、在從伺服器上開始複製
change master to master_host='192.168.216.132', master_user='slave', master_password='slave', master_log_file='mysql-bin.000007', master_log_pos=1015, master_ssl=1, master_ssl_ca=' /usr/local/mysql/ssl/cacrt.pem', master_ssl_cert='/usr/local/mysql/ssl/slave.crt', master_ssl_key='/usr/local/mysql/ssl/slave.key'; start slave;
查看狀態
錯誤1:
如果要確保認證沒有問題可以通過建立測試的使用者同ssl進行串連在主伺服器上開一個許可權很大的使用者,進行ssl的登入測試
grant all privileges on *.* to root@'192.168.216.133′ identified by ‘root' require ssl;[root@slave ssl]# mysql -uroot -proot -h192.168.216.133 –ssl-ca=cacrt.pem –ssl-cert=slave.crt –ssl-key=slave.key
Warning: Using a password on the command line interface can be insecure.ERROR 2026 (HY000): SSL connection error: ASN: before date in the future
這是由於虛擬時間不正確導致
如果這時候不使用ssl方式進行串連則會報出錯誤
[root@slave ssl]# mysql -uroot -proot -h192.168.216.133;
Warning: Using a password on the command line interface can be insecure.ERROR 1045 (28000): Access denied for user ‘root'@'192.168.216.132′ (using password: YES)
錯誤2:
在設定檔中添加認證配置後執行 show variables like ‘%ssl%'顯示
這是由於沒有將認證的屬主改為mysql,可以從日誌中得知是無許可權擷取私密金鑰
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
