標籤:mysql雙主 mysql加密複製 ssl openssl
主主mysql搭建我就不多敘述了
由於公司需求要基於公網的mysql主主複製,對資料隱私保護的要求極為嚴格,通過區域網路或廣域網路複製資料都需要加密,一般都是基於公網才做,需用到ssl隧道。廢話不多說
環境:Centos6.5
master1:192.168.1.10
master2: 192.168.1.30
查看是否開啟ssl
show variables like ‘%ssl%‘;
開啟ssl
vim /etc/my.cnf
[mysqld]
ssl
配置CA伺服器
vim /etc/pki/tls/openssl.cnf
dir=/etc/pki/CA
mkdir certs newcerts crl
touch index.txt
echo 01 > serial
1、產生密鑰:CA私密金鑰的儲存位置為/etc/pki/CA/private下一般儲存名字為cakey.pem的名字許可權只有屬主有許可權(因為和設定檔中的檔案保持一直)
(umask 077;openssl genrsa -out private/cakey.pem 1024)
命令解釋:
umask 077:設定產生的檔案的許可權
genrsa:產生私密金鑰
-out:私密金鑰存放路徑
2048:2048位元組計算(預設為1024)
openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365
命令解釋:
req:產生認證簽署請求
-new:新請求
-key /path/to/keyfile:指定私密金鑰檔案位置
-out /path/to/somefile:指定認證檔案存放在位置
-x509:產生自簽認證
-days n:指定到期天數
國家--省份--地區--公司名稱--公司部門名稱--CA伺服器主機名稱--管理員郵箱
[email protected]
------------------------------------------------
2、為主伺服器RS1準備私密金鑰並頒發認證
mkdir /var/lib/mysql/ssl
cd /var/lib/mysql/ssl/
產生密鑰
(umask 077;openssl genrsa 1024 > master1.key)
產生認證簽署請求
openssl req -new -key master1.key -out master1.csr
A challenge password []:-----------認證請求密鑰,CA讀取認證的時候需要輸入密碼
An optional company name[]:-----------公司名稱,CA讀取認證的時候需要輸入名稱
openssl ca -in master1.csr -out master1.crt -days 365
cp /etc/pki/CA/cacert.pem /var/lib/mysql/ssl/
chown -R mysql:mysql /var/lib/mysql/ssl
-----------------------------------------------
3、為slave上的mysql準備私密金鑰及申請認證
建立存放認證的位置
mkdir /var/lib/mysql/ssl
cd /var/lib/mysql/ssl
建立所需要的認證
(umask 077;openssl genrsa 1024 > master2.key)
openssl req -new -key master2.key -out master2.csr
scp ./master2.csr 192.168.1.10:/root/
在master1上為master2簽發認證
openssl ca -in master2.csr -out master2.crt
scp master2.crt /etc/pki/CA/cacert.pem 192.168.1.30:/var/lib/mysql/ssl
chown -R mysql.mysql ssl
-------------------------------------------
4、修改設定檔
vim /etc/my.cnf
加入
ssl-ca=/var/lib/mysql/ssl/cacert.pem
ssl-cert=/var/lib/mysql/ssl/master1.crt
ssl-key=/var/lib/mysql/ssl/master1.key
show variables like ‘%ssl%‘;
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/ssl/master1.crt |
| ssl_cipher | |
| ssl_key | /var/lib/mysql/ssl/master1.key |
+---------------+--------------------------------+
grant replication slave,replication client on *.* to [email protected]‘192.168.1.%‘ identified by ‘123456‘ require ssl;
flush privileges;
show master status;
change master to master_host=‘192.168.1.10‘,
master_user=‘repluser‘,
master_password=‘123456‘,
master_log_file=‘mysql-bin.000008‘,
master_log_pos=308,
master_ssl=1,
master_ssl_ca=‘/var/lib/mysql/ssl/cacert.pem‘,
master_ssl_cert=‘/var/lib/mysql/ssl/master2.crt‘,
master_ssl_key=‘/var/lib/mysql/ssl/master2.key‘;
(自己的)
start slave;
show slave status\G
本文出自 “好大的刀” 部落格,請務必保留此出處http://53cto.blog.51cto.com/9899631/1695488
基於SSL加密的MySQL主從複製
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
