If Mycat provided by SQL interceptors to post audit SQL statements, then, Mycat supplied SQL firewall is to advance prevention.
Why do I need to use SQL firewall?
Corresponding to the familiar MySQL children's shoes, we can specify a user can only access the database via some IP. However, once we used Mycat, all certified to access the database to be handed over to Mycat. Before those users we configured in Mycat the server.xml file, and on all access to Mycat host can log database, which is very safe. Mycat of SQL firewall functions, give us a unified control which users can access functions which hosts the back-end database through.
In addition, Mycat provided by SQL firewall implements SQL shielding function, which allows us to shield some SQL statements, such statements did not add or delete the drop statement where conditions and so on. To enhance the security of the data.
How to enable Mycat of SQL firewall?
To enable Mycat of SQL firewall, you need to add a firewall tag in the server.xml file, as shown below.
<firewall>
<whitehost>
<host user="root" host="127.0.0.1"></host>
</whitehost>
<blacklist check="true">
<property name="noneBaseStatementAllow">true</property>
<property name="deleteWhereNoneCheck">true</property>
</blacklist>
</firewall>
Which, whitehost tab to configure the white list of hosts and users, once Mycat of SQL firewall is enabled, only the configuration of the whitelist hosts and users can access Mycat. For example, the above configuration, only the root user on the node where the host Mycat to access Mycat, other users and other hosts can access Mycat.
Under blacklist tab to configure a list of blacklist, in this list, configure the Mycat the need for restrictions on what operations. Such as the configuration described above, we configured whether to allow DDL operations (true is not allowed), check whether the delete statement has no where conditions (true is checked, not allowed).
The actual configuration
Next, we in the server.xml file, add the above configuration. Finally, to server.xml file is shown.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mycat:server SYSTEM "server.dtd">
<mycat:server xmlns:mycat="http://io.mycat/">
<system>
<property name="useHandshakeV10">1</property>
<property name="defaultSqlParser">druidparser</property>
<property name="serverPort">3307</property>
<property name="managerPort">3308</property>
<property name="nonePasswordLogin">0</property>
<property name="bindIp">0.0.0.0</property>
<property name="charset">utf8mb4</property>
<property name="frontWriteQueueSize">2048</property>
<property name="txIsolation">2</property>
<property name="processors">2</property>
<property name="idleTimeout">1800000</property>
<property name="sqlExecuteTimeout">300</property>
<property name="useSqlStat">0</property>
<property name="useGlobleTableCheck">0</property>
<property name="sequenceHandlerType">1</property>
<property name="defaultMaxLimit">1000</property>
<property name="maxPacketSize">104857600</property>
<property name="sqlInterceptor">
io.mycat.server.interceptor.impl.StatisticsSqlInterceptor
</property>
<property name="sqlInterceptorType">
UPDATE,DELETE,INSERT
</property>
<property name="sqlInterceptorFile">/tmp/sql.txt</property>
</system>
<firewall>
<whitehost>
<host user="mycat" host="192.168.175.150"></host>
</whitehost>
<blacklist check="true">
<property name="noneBaseStatementAllow">true</property>
<property name="deleteWhereNoneCheck">true</property>
</blacklist>
</firewall>
<user name="mycat" defaultAccount="true">
<property name="usingDecrypt">1</property>
<property name="password">cTwf23RrpBCEmalp/nx0BAKenNhvNs2NSr9nYiMzHADeEDEfwVWlI6hBDccJjNBJqJxnunHFp5ae63PPnMfGYA==</property>
<property name="schemas">shop</property>
</user>
</mycat:server>
In the above configuration, only allow the user access to Mycat mycat 192.168.175.150 on the host, DDL operations are not allowed, not allowed to execute delete statement where no condition.
Appendix: blacklist interception configuration details
Configuration Item | The default value | description |
---|---|---|
selelctAllow | true | Whether to allow the implementation of a SELECT statement |
selectAllColumnAllow | true | Whether to allow the implementation of such a statement SELECT * FROM T. If set to false, not allowed select * from t, but select * from (select id, name from t) a. This option is defensive by calling select * obtain structural information data table. |
selectIntoAllow | true | SELECT INTO queries whether to allow words |
deleteAllow | true | Whether to allow a DELETE statement |
updateAllow | true | Whether to allow an UPDATE statement |
insertAllow | true | Whether to allow an INSERT statement |
replaceAllow | true | Whether to allow the implementation of REPLACE statement |
mergeAllow | true | Whether to allow the implementation of the MERGE statement, this is only useful in Oracle |
callAllow | true | Whether to allow call syntax to call a stored procedure through the jdbc |
setAllow | true | Whether to allow the use of SET syntax |
truncateAllow | true | truncate statement is dangerous, enabled by default, if you need self-closing |
createTableAllow | true | Allow to create table |
alterTableAllow | true | Whether to allow execution Alter Table statement |
dropTableAllow | true | Whether to allow modification table |
commentAllow | false | Whether to allow the existence of comment statement, Oracle users need not worry, Wall can recognize the difference hints and comments |
noneBaseStatementAllow | false | Other than statements whether to allow non-basic statements, disabled by default, this option can be shielded by DDL. |
multiStatementAllow | false | Whether to allow time to perform multiple statements, disabled by default |
useAllow | true | Whether to allow the use of statements executed mysql, the default open |
describeAllow | true | Whether to allow statements describe the implementation of mysql, the default open |
showAllow | true | Whether to allow the show to perform the mysql statement, the default open |
commitAllow | true | Whether to allow the commit operation |
rollbackAllow | true | Whether to allow the operations to perform roll back |
## If selectIntoAllow, deleteAllow, updateAllow, insertAllow, mergeAllow are set to false, which is a source of read-only data. ## | ||
Interception Configuration - Yong true condition | ||
selectWhereAlwayTrueCheck | true | Check that the WHERE clause of the SELECT statement is never a true condition |
selectHavingAlwayTrueCheck | true | Check whether the HAVING clause of a SELECT statement is never a true condition |
deleteWhereAlwayTrueCheck | true | Check whether the DELETE statement WHERE clause is a condition never really |
deleteWhereNoneCheck | false | DELETE statement without checking whether the conditions where this is risky, but not the type of SQL injection risk |
updateWhereAlayTrueCheck | true | Check whether the UPDATE statement WHERE clause is a condition never really |
updateWhereNoneCheck | false | Check the UPDATE statement is no where condition, this is risky, but not the type of SQL injection risk |
conditionAndAlwayTrueAllow | false | Check the query conditions (WHERE / HAVING clause) contains AND Wing true condition |
conditionAndAlwayFalseAllow | false | Check the query conditions (WHERE / HAVING clause) contains AND Wing false condition |
conditionLikeTrueAllow | true | Check the query conditions (WHERE / HAVING clause) contains the conditions never really LIKE |
Other intercept configuration | ||
selectIntoOutfileAllow | false | SELECT ... INTO OUTFILE is allowed, this is mysql injection attacks common means, it is disabled by default |
selectUnionCheck | true | Detection SELECT UNION |
selectMinusCheck | true | Detection SELECT MINUS |
selectExceptCheck | true | 检测 SELECT EXCEPT |
selectIntersectCheck | true | 检测 SELECT INTERSECT |
mustParameterized | false | 是否必须参数化,如果为 True,则不允许类似 WHERE ID = 1 这种不参数化的 SQL |
strictSyntaxCheck | true | 是否进行严格的语法检测,Druid SQL Parser 在某些场景不能覆盖所有的SQL 语法,出现解析 SQL 出错,可以临时把这个选项设置为 false,同时把 SQL 反馈给 Druid 的开发者。 |
conditionOpXorAllow | false | 查询条件中是否允许有 XOR 条件。XOR 不常用,很难判断永真或者永假,缺省不允许。 |
conditionOpBitwseAllow | true | 查询条件中是否允许有"&"、"~"、"|"、"^"运算符。 |
conditionDoubleConstAllow | false | 查询条件中是否允许连续两个常量运算表达式 |
minusAllow | true | 是否允许 SELECT * FROM A MINUS SELECT * FROM B 这样的语句 |
intersectAllow | true | 是否允许 SELECT * FROM A INTERSECT SELECT * FROM B 这样的语句 |
constArithmeticAllow | true | 拦截常量运算的条件,比如说 WHERE FID = 3 - 1,其中"3 - 1"是常量运算表达式。 |
limitZeroAllow | false | 是否允许 limit 0 这样的语句 |
禁用对象检测配置 | ||
tableCheck | true | 检测是否使用了禁用的表 |
schemaCheck | true | 检测是否使用了禁用的 Schema |
functionCheck | true | 检测是否使用了禁用的函数 |
objectCheck | true | 检测是否使用了“禁用对对象” |
variantCheck | true | 检测是否使用了“禁用的变量” |
readOnlyTables | 空 | 指定的表只读,不能够在 SELECT INTO、DELETE、UPDATE、INSERT、MERGE 中作为"被修改表"出现 |