数据库 
首页 > 数据库 > 浏览文章

MySQL配置SSL主从复制

(编辑:jimmy 日期: 2024/11/26 浏览:3 次 )

MySQL5.6 创建SSL文件方法

官方文档:https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html#creating-ssl-files-using-openssl-unix-command-line

Create clean environment

mkdir /home/mysql/mysqlcerts && cd /home/mysql/mysqlcerts

Create CA certificate

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

Create server certificate, remove passphrase, and sign it

server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

Create client certificate, remove passphrase, and sign it

client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600  -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK

MySQL5.7 创建SSL文件方法

官方文档:https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html

mkdir -p  /home/mysql/mysqlcerts
/usr/local/mysql-5.7.21-linux-glibc2.12-x86_64/bin/mysql_ssl_rsa_setup  --datadir=/home/mysql/mysqlcerts/

主库创建SSL后进行配置

从库 192.168.1.222

mkdir -p  /home/mysql/mysqlcerts

主库

chown -R mysql.mysql  /home/mysql/mysqlcerts/
scp ca.pem client-cert.pem client-key.pem root@192.168.1.222:/home/mysql/mysqlcerts/

主库授权

GRANT REPLICATION SLAVE ON *.* TO 'repl'@'192.168.1.222' identified by '' require ssl;

主库 my.cnf

#SSL
ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert=/home/mysql/mysqlcerts/server-cert.pem
ssl-key=/home/mysql/mysqlcerts/server-key.pem

restart mysql

从库

chown -R mysql.mysql  /home/mysql/mysqlcerts/

my.cnf

ssl-ca=/home/mysql/mysqlcerts/ca.pem
ssl-cert= /home/mysql/mysqlcerts/client-cert.pem
ssl-key= /home/mysql/mysqlcerts/client-key.pem

创建复制:

change master to master_host='',master_user='',master_password='',master_log_file='mysql-bin.000001',master_log_pos=154,   master_ssl=1, master_ssl_ca='/home/mysql/mysqlcerts/ca.pem', master_ssl_cert='/home/mysql/mysqlcerts/client-cert.pem',  master_ssl_key='/home/mysql/mysqlcerts/client-key.pem' ,MASTER_CONNECT_RETRY=10;

验证:
主库配置SSL认证后,客户端默认以SSL方式登录

mysql -utest -h192.168.1.223 -ptest -P3307  

(该账号不论是否配置require ssl 均能登录)

不以SSL方式登录命令为:

mysql -utest -h192.168.1.223 -ptest -P3307 --ssl-mode=DISABLED   

(如该账号配置了require ssl 则无法登录)

上一篇:MySQL DeadLock故障排查全过程记录
下一篇:mysql使用from与join两表查询的区别总结
一句话新闻
一文看懂荣耀MagicBook Pro 16
荣耀猎人回归!七大亮点看懂不只是轻薄本,更是游戏本的MagicBook Pro 16.
人们对于笔记本电脑有一个固有印象:要么轻薄但性能一般,要么性能强劲但笨重臃肿。然而,今年荣耀新推出的MagicBook Pro 16刷新了人们的认知——发布会上,荣耀宣布猎人游戏本正式回归,称其继承了荣耀 HUNTER 基因,并自信地为其打出“轻薄本,更是游戏本”的口号。
众所周知,寻求轻薄本的用户普遍更看重便携性、外观造型、静谧性和打字办公等用机体验,而寻求游戏本的用户则普遍更看重硬件配置、性能释放等硬核指标。把两个看似难以相干的产品融合到一起,我们不禁对它产生了强烈的好奇:作为代表荣耀猎人游戏本的跨界新物种,它究竟做了哪些平衡以兼顾不同人群的各类需求呢?
友情链接:杰晶网络 DDR爱好者之家 南强小屋 黑松山资源网 白云城资源网 网站地图 SiteMap