Source: toutiao.com/article/7234104886726705716
1 Introduction
Our production environment is basically deployed on cloud servers, such as application servers, MySQL servers, etc. If the MySQL server is directly exposed to the public network, there will be great risks. In order to ensure data security, the port of the MySQL server is not open to the outside world.
Coincidentally, the online business encounters a bug, and the development partner needs to remotely connect to MySQL to view the data, so what should I do?
We can connect through the Nginx proxy ("springboard").
Recommend an open source and free Spring Boot practical project:
2. Nginx proxy connection
To achieve proxy forwarding of connections, we need a server with Nginx installed, and it is in the same intranet as the MySQL server, and can be accessed between intranets.
Secondly, we need to use the module, which is not built by default, we need to add it to build ngx_stream_core_module
when configure .--with-stream
The adding process can refer to [Nginx basic commands & non-stop version upgrade] article, we will not go into details here.
Since ngx_stream_core_module
the module is going to be used, the first thing to do is to look at the instructions it provides, so that we know how to configure it.
1)stream
This directive defines a stream server. It is at the same level as the http block and defined in the main block.
- scope: main
- Syntax: stream {...}
Example:
stream {
server {
......
}
}
2)server
This directive defines a virtual host, similar to the server in the http block. We can define multiple server blocks in the stream block.
- scope: stream
- Syntax: server {...}
stream {
server {
......
}
server {
......
}
}
3)listen
This instruction defines the address and port of the socket to be monitored by the virtual host server.
- scope: server
- Syntax: listen address:port;
Example:
listen 127.0.0.1:3306;
listen *:3306;
# 效果与listen *:3306一样
listen 3306;
listen localhost:3306;
4) Configuration example
MySQL server, port 3306 (stand-alone environment)
stream {
server {
listen 3306;
proxy_pass 192.168.110.101:3306;
}
}
MySQL server, port 3306 (cluster environment)
stream {
upstream mysql_socket {
server 192.168.110.101:3306;
}
server {
listen 3306;
proxy_pass mysql_socket;
}
}
At this point, we can connect through clients such as Navicat.
3. Restrict access to IP
The agent for the connection is realized, and everyone can connect to the MySQL server by accessing Nginx, which solves the problem that the external network cannot be connected.
In order to further narrow the scope of access and ensure data security, we can limit that only the IP addresses of the company network can be connected through Nginx.
Nginx provides ngx_stream_access_module
modules whose directives are very simple, containing only allow and deny directives.
1)allow
This command sets the specified IP to allow access. Can be used in conjunction with the deny command
- Scope: stream, server
- Syntax: allow address | CIDR | unix: | all;
Example:
# 允许192.168.110.1访问
allow 192.168.110.1;
# 允许192.168.110.1到192.168.255.254
allow 192.168.110.0/16;
# 允许192.168.110.1到192.168.110.254
allow 192.168.110.0/24;
# 允许所有的IP访问
allow all;
2)deny
This command sets the specified IP to prohibit access. Can be used in conjunction with the allow command.
- Scope: stream, server
- Syntax: deny address | CIDR | unix: | all;
# 禁止192.168.110.1访问
deny 192.168.110.1;
# 禁止192.168.110.1到192.168.255.254
deny 192.168.110.0/16;
# 禁止192.168.110.1到192.168.110.254
deny 192.168.110.0/24;
# 禁止所有的IP访问
deny all;
3) Configuration example
Forbid all IP access, except 192.168.110.100.
allow 192.168.110.100;
deny all;
Tips: If allow is specified, it needs to be used with deny, otherwise, all IP addresses are allowed to access.
4. Comprehensive case
Only 192.168.110.100 is allowed to connect to the MySQL server through Nginx.
stream {
allow 192.168.110.100;
deny all;
server {
listen 3306;
proxy_pass 192.168.110.101:3306;
}
}
Recent hot article recommendation:
1. 1,000+ Java interview questions and answers (2022 latest version)
2. Brilliant! Java coroutines are coming. . .
3. Spring Boot 2.x tutorial, too comprehensive!
5. The latest release of "Java Development Manual (Songshan Edition)", download quickly!
Feel good, don't forget to like + forward!