Linux九阴真经之九阴白骨爪残卷16

一、加密传输复制的实现

在默认的主从复制过程或远程连接到MySQL/MariaDB所有的链接通信中的数据都是明文的，外网里访问数据或则复制，存在安全隐患。通过SSL/TLS加密的方式进行复制的方法，来进一步提高数据的安全性

主服务器开启SSL：[mysqld] 加一行ssl
主服务器配置证书和私钥；并且创建一个要求必须使用SSL连接的复制账号
从服务器使用CHANGER MASTER TO 命令时指明ssl相关选项

特别提示：在配置之前先检查mysql服务是否支持ssl功能，如果have_ssl的值为'DISABLED'则支持；如果为'NO'则不支持，需要再重新编译安装或者安装具有ssl功能的版本

MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_key       |          |
+---------------+----------+

1、CA

[root@centos7 ~]#mkdir /etc/my.cnf.d/ssl/
[root@centos7 ~]#cd /etc/my.cnf.d/ssl/
[root@centos7 ssl]#openssl genrsa 2048 > cakey.pem   #生成私钥
[root@centos7 ssl]#openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650  #自签名证书
Country Name (2 letter code) [XX]:CN     
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:30
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

[root@centos7 ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr   
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:31
Common Name (eg, your name or your server's hostname) []:master.magedu.com
Email Address []:
[root@centos7 ssl]#openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt  #签署master证书

[root@centos7 ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave.key > slave.csr
Country Name (2 letter code) [XX]:CN      
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:31
Common Name (eg, your name or your server's hostname) []:slave.magedu.com
Email Address []:
[root@centos7 ssl]#openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt     #签署slave证书


[root@centos7 ssl]#openssl verify -CAfile cacert.pem master.crt slave.crt     #检查证书是否可用
master.crt: OK
slave.crt: OK

先在各个节点上创建/etc/my.cnf.d/ssl/文件夹，将各自的证书，CA的证书和各自的秘钥文件复制过去
[root@centos7 ssl]#scp -r cacert.pem master.crt master.key 192.168.95.5:/etc/my.cnf.d/ssl/
[root@centos7 ssl]#scp -r cacert.pem slave.crt slave.key 192.168.95.3:/var/lib/mysql/ssl/

2、master

[mysqld]

log_bin
server_id=1
datadir=/var/lib/mysql

ssl         # 开启ssl功能
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem        #指定CA证书命令
ssl-cert=/etc/my.cnf.d/ssl/master.crt      #指定自己的证书路径
ssl-key=/etc/my.cnf.d/ssl/master.key       #指定自己的秘钥文件路径
[root@localhost ~]# systemctl restart mariadb

MariaDB [(none)]> grant replication slave on *.* to laobai@'192.168.95.%' identified by '123456' REQUIRE SSL; #授权并强制用户使用 SSL登录

MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 264 |
| mariadb-bin.000002 | 343 |
| mariadb-bin.000003 | 569 |
| mariadb-bin.000004 | 264 |
| mariadb-bin.000005 | 410 |
+--------------------+-----------+

3、slave

[mysqld]
log_bin                                                                                                          
server_id=2
ssl
[root@slave1 ~]# systemctl restart mariadb
CHANGE MASTER TO
    MASTER_HOST='192.168.95.5',
    MASTER_USER='laobai',
    MASTER_PASSWORD='123456',
    MASTER_PORT=3306,
    MASTER_LOG_FILE='mariadb-bin.000006',
    MASTER_LOG_POS=245,
    MASTER_CONNECT_RETRY=10,
    MASTER_SSL=1,
    MASTER_SSL_CA = '/var/lib/mysql/ssl/cacert.pem',
    MASTER_SSL_CERT = '/var/lib/mysql/ssl/slave.crt',
    MASTER_SSL_KEY = '/var/lib/mysql/ssl/ssl/slave.key';

   mysql> start slave;

Linux九阴真经之九阴白骨爪残卷16

猜你喜欢