由于在主从复制中数据是明文的,所以就大大降低了安全性 因此需要借助ssl加密来增加其复制的安全性 5.6版本之上
主默认含有证书
MySQL 5.7.18 加密连接mysql_ssl_rsa_setup
[root@localhost ~]# scp /var/lib/mysql/ca.pem [email protected]:/var/lib/mysql 颁发的证书
[root@localhost ~]# scp /var/lib/mysql/client-cert.pem [email protected]:/var/lib/mysql 客户端的申请证书
[root@localhost ~]# scp /var/lib/mysql/client-key.pem [email protected]:/var/lib/mysql 客户端RSA密钥文件
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
server-id=1
log-bin=/var/lib/mysql/mysql-bin
ssl
ssl-ca=/var/lib/mysql/ca.pem
ssl-cert=/var/lib/mysql/client-cert.pem
ssl-key=/var/lib/mysql/client-key.pem
ssl_cert(mysql服务器端的证书位置)、ssl_key(mysql私钥位置)与ssl_ca(CA证书位置)
[root@localhost ~]# systemctl restart mysqld
[root@localhost ~]# mysql -u root -p1234.Com
mysql> grant replication slave on *.* to qq@'192.168.1.%' identified by '4567.Com' require ssl;
mysql> flush privileges;
mysql> show master status\G "查看主服务器当前使用的二进制文件,及二进制文件的位置"
*************************** 1. row ***************************
File: mysql-bin.000001
Position: 597
Binlog_Do_DB:
Binlog_Ignore_DB:
Executed_Gtid_Set:
1 row in set (0.00 sec)
mysql> show master logs; "查看主库的日志文件,以及position信息"
+------------------+-----------+
| Log_name | File_size |
+------------------+-----------+
| mysql-bin.000001 | 597 |
+------------------+-----------+
1 row in set (0.00 sec)
从服务器配置
[root@localhost ~]# vim /etc/my.cnf
[mysqld]
server-id=2
relay-log=/var/lib/mysql/relay-log-bin "定义中继日志保存的位置及文件名,也可以不用定义"
[root@localhost ~]# systemctl restart mysqld
[root@localhost ~]# cd /var/lib/mysql //测试主从连接
[root@localhost mysql]# mysql --ssl-ca=ca.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -uqq -p4567.Com -h 192.168.1.1
mysql> status;
···
Connection id: 12
Current database:
Current user: [email protected]
SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256(使用的协议)
[root@localhost mysql]# mysql -u root -p1234.Com
mysql> change master to
master_host='192.168.1.1',
master_user='qq',
master_password='4567.Com',
master_log_file='mysql-bin.000001',
master_log_pos=597,
master_ssl=1,
master_ssl_ca='/var/lib/mysql/ca.pem',
master_ssl_cert='/var/lib/mysql/client-cert.pem',
master_ssl_key='/var/lib/mysql/client-key.pem';
mysql> start slave;
mysql> show slave status\G
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.1.1
Master_User: qq
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mysql-bin.000001
Read_Master_Log_Pos: 597
Relay_Log_File: relay-log-bin.000002
Relay_Log_Pos: 320
Relay_Master_Log_File: mysql-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
mysql> show variables like '%ssl%'; #查看是否开启SSL功能
+---------------+--------------------------------+
| Variable_name | Value |
+---------------+--------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /var/lib/mysql/ca.pem |
| ssl_capath | |
| ssl_cert | /var/lib/mysql/client-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /var/lib/mysql/client-key.pem |
+---------------+--------------------------------+
注意:启用mysql支持ssl安全连接主要用于mysql主从复制(局域网可以非ssh连接即明文复制,但internet复制建议采用ssl连接。)
总结:
1、MySQL5.7默认是开启SSL连接,如果强制用户使用SSL连接,那么应用程序的配置也需要明确指定SSL相关参数,否则程序会报错。
2、虽然SSL方式使得安全性提高了,但是相对地使得QPS也降低23%左右。所以要谨慎选择:
▷ 对于非常敏感核心的数据,或者QPS本来就不高的核心数据,可以采用SSL方式保障数据安全性;
▷ 对于采用短链接、要求高性能的应用,或者不产生核心敏感数据的应用,性能和可用性才是首要,建议不要采用SSL方式;
SSL(Secure Sockets Layer 安全套接层)及其继任者传输层安全(Transport Layer Security,TLS)是为网络通信提供安全及数据完整性的一种安全协议。复制默认是明文进行传输的,通过SSL加密可以大大提高数据的安全性。
I waste time, time will waste me