基于SSL实现Mysql加密主从
Mysql主从复制是明文传输的,对于一些特殊的场合是绝对不允许的,数据的安全性会受到威胁,在这里,简单的构建基于SSL的mysql主从复制
Ps:这里采用master-mysql为CA服务器
主端生成CA自签名证书
# mkdir -p /etc/my.cnf.d/ssl # cd /etc/my.cnf.d/ssl/ # openssl genrsa 2048 > cakey.pem Generating RSA private key, 2048 bit long modulus ............+++ .+++ e is 65537 (0x10001) # openssl req -new -x509 -key cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:bxy
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:ca.bxy.com
Email Address []:
[root@master-mysql ssl]# openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr #生成matsre私钥以及证书申请
[root@master-mysql ssl]# openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt #给master端颁发证书
给slave颁发证书
[root@slave-mysql ssl]# openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt
【mysql主从配置】
ps:在主从两端写上对应证书的路径
Master端配置:
[root@master-mysql ~]# vim /etc/my.cnf
[root@master-mysql ~]# systemctl restart mariadb
MariaDB [(none)]> grant replication slave on *.* to 'repluser'@'192.168.2.162' identified by '123.com' require ssl; #创建从库复制用户,并仅允许通过ssl加密连接
Query OK, 0 rows affected (0.00 sec)
Slave端配置
[root@slave-mysql ~]# vim /etc/my.cnf
[root@slave-mysql ~]# systemctl restart mariadb