基于SSL实现Mysql加密主从

Mysql主从复制是明文传输的，对于一些特殊的场合是绝对不允许的，数据的安全性会受到威胁，在这里，简单的构建基于SSL的mysql主从复制

Ps:这里采用master-mysql为CA服务器

主端生成CA自签名证书

# mkdir -p /etc/my.cnf.d/ssl
# cd /etc/my.cnf.d/ssl/
# openssl genrsa 2048 > cakey.pem
Generating RSA private key, 2048 bit long modulus
............+++
.+++
e is 65537 (0x10001)

# openssl req -new -x509 -key cakey.pem -days 3650 -out cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:bxy
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:ca.bxy.com
Email Address []:

[root@master-mysql ssl]# openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr    #生成matsre私钥以及证书申请

[root@master-mysql ssl]# openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt    #给master端颁发证书

 给slave颁发证书

[root@slave-mysql ssl]# openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt

 【mysql主从配置】

ps:在主从两端写上对应证书的路径

Master端配置：

[root@master-mysql ~]# vim /etc/my.cnf   

[root@master-mysql ~]# systemctl restart mariadb

MariaDB [(none)]> grant replication slave on *.* to 'repluser'@'192.168.2.162' identified by '123.com' require ssl;    #创建从库复制用户，并仅允许通过ssl加密连接
Query OK, 0 rows affected (0.00 sec)

 Slave端配置

[root@slave-mysql ~]# vim /etc/my.cnf

 

[root@slave-mysql ~]# systemctl restart mariadb