一、加密传输复制的实现
在默认的主从复制过程或远程连接到MySQL/MariaDB所有的链接通信中的数据都是明文的,外网里访问数据或则复制,存在安全隐患。通过SSL/TLS加密的方式进行复制的方法,来进一步提高数据的安全性
主服务器开启SSL:[mysqld] 加一行ssl
主服务器配置证书和私钥;并且创建一个要求必须使用SSL连接的复制账号
从服务器使用CHANGER MASTER TO 命令时指明ssl相关选项
特别提示:在配置之前先检查mysql服务是否支持ssl功能,如果have_ssl的值为'DISABLED'则支持;如果为'NO'则不支持,需要再重新编译安装或者安装具有ssl功能的版本
MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%'; +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+----------+
1、CA
[root@centos7 ~]#mkdir /etc/my.cnf.d/ssl/ [root@centos7 ~]#cd /etc/my.cnf.d/ssl/ [root@centos7 ssl]#openssl genrsa 2048 > cakey.pem #生成私钥 [root@centos7 ssl]#openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650 #自签名证书 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:30 Common Name (eg, your name or your server's hostname) []:ca.magedu.com Email Address []: [root@centos7 ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:31 Common Name (eg, your name or your server's hostname) []:master.magedu.com Email Address []: [root@centos7 ssl]#openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt #签署master证书 [root@centos7 ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave.key > slave.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:31 Common Name (eg, your name or your server's hostname) []:slave.magedu.com Email Address []: [root@centos7 ssl]#openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt #签署slave证书
[root@centos7 ssl]#openssl verify -CAfile cacert.pem master.crt slave.crt #检查证书是否可用 master.crt: OK slave.crt: OK
先在各个节点上创建/etc/my.cnf.d/ssl/文件夹,将各自的证书,CA的证书和各自的秘钥文件复制过去
[root@centos7 ssl]#scp -r cacert.pem master.crt master.key 192.168.95.5:/etc/my.cnf.d/ssl/
[root@centos7 ssl]#scp -r cacert.pem slave.crt slave.key 192.168.95.3:/var/lib/mysql/ssl/
2、master
[mysqld]
log_bin
server_id=1
datadir=/var/lib/mysql
ssl # 开启ssl功能 ssl-ca=/etc/my.cnf.d/ssl/cacert.pem #指定CA证书命令 ssl-cert=/etc/my.cnf.d/ssl/master.crt #指定自己的证书路径 ssl-key=/etc/my.cnf.d/ssl/master.key #指定自己的秘钥文件路径
[root@localhost ~]# systemctl restart mariadb
MariaDB [(none)]> show variables like '%ssl%'; #查看加密是否成功;
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| have_openssl | YES | #成功
| have_ssl | YES |
| ssl_ca | /etc/my.cnf.d/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /etc/my.cnf.d/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /etc/my.cnf.d/ssl/master.key |
+---------------+------------------------------+
MariaDB [(none)]> grant replication slave on *.* to laobai@'192.168.95.%' identified by '123456' REQUIRE SSL; #授权并强制用户使用 SSL登录
MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 264 |
| mariadb-bin.000002 | 343 |
| mariadb-bin.000003 | 569 |
| mariadb-bin.000004 | 264 |
| mariadb-bin.000005 | 410 |
+--------------------+-----------+
3、slave
[mysqld] log_bin server_id=2 ssl [root@slave1 ~]# systemctl restart mariadb CHANGE MASTER TO MASTER_HOST='192.168.95.5', MASTER_USER='laobai', MASTER_PASSWORD='123456', MASTER_PORT=3306, MASTER_LOG_FILE='mariadb-bin.000006', MASTER_LOG_POS=245, MASTER_CONNECT_RETRY=10, MASTER_SSL=1, MASTER_SSL_CA = '/var/lib/mysql/ssl/cacert.pem', MASTER_SSL_CERT = '/var/lib/mysql/ssl/slave.crt', MASTER_SSL_KEY = '/var/lib/mysql/ssl/ssl/slave.key'; mysql> start slave;