Mycat of --SQL firewall

Others 2020-03-04 22:59:37 views: null

If Mycat provided by SQL interceptors to post audit SQL statements, then, Mycat supplied SQL firewall is to advance prevention.

Why do I need to use SQL firewall?

Corresponding to the familiar MySQL children's shoes, we can specify a user can only access the database via some IP. However, once we used Mycat, all certified to access the database to be handed over to Mycat. Before those users we configured in Mycat the server.xml file, and on all access to Mycat host can log database, which is very safe. Mycat of SQL firewall functions, give us a unified control which users can access functions which hosts the back-end database through.

In addition, Mycat provided by SQL firewall implements SQL shielding function, which allows us to shield some SQL statements, such statements did not add or delete the drop statement where conditions and so on. To enhance the security of the data.

How to enable Mycat of SQL firewall?

To enable Mycat of SQL firewall, you need to add a firewall tag in the server.xml file, as shown below.

<firewall>
	<whitehost>
    	<host user="root" host="127.0.0.1"></host>
    </whitehost>
    <blacklist check="true">
    	<property name="noneBaseStatementAllow">true</property>
        <property name="deleteWhereNoneCheck">true</property>
    </blacklist>
</firewall>

Which, whitehost tab to configure the white list of hosts and users, once Mycat of SQL firewall is enabled, only the configuration of the whitelist hosts and users can access Mycat. For example, the above configuration, only the root user on the node where the host Mycat to access Mycat, other users and other hosts can access Mycat.

Under blacklist tab to configure a list of blacklist, in this list, configure the Mycat the need for restrictions on what operations. Such as the configuration described above, we configured whether to allow DDL operations (true is not allowed), check whether the delete statement has no where conditions (true is checked, not allowed).

The actual configuration

Next, we in the server.xml file, add the above configuration. Finally, to server.xml file is shown.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mycat:server SYSTEM "server.dtd">
<mycat:server xmlns:mycat="http://io.mycat/">
	<system>
		<property name="useHandshakeV10">1</property>
        <property name="defaultSqlParser">druidparser</property>
		<property name="serverPort">3307</property>
		<property name="managerPort">3308</property>
		<property name="nonePasswordLogin">0</property>
		<property name="bindIp">0.0.0.0</property>
		<property name="charset">utf8mb4</property>
		<property name="frontWriteQueueSize">2048</property>
		<property name="txIsolation">2</property>
		<property name="processors">2</property>
		<property name="idleTimeout">1800000</property>
		<property name="sqlExecuteTimeout">300</property>
		<property name="useSqlStat">0</property>
		<property name="useGlobleTableCheck">0</property>
		<property name="sequenceHandlerType">1</property>
		<property name="defaultMaxLimit">1000</property>
		<property name="maxPacketSize">104857600</property>
		
		<property name="sqlInterceptor">
			io.mycat.server.interceptor.impl.StatisticsSqlInterceptor
		</property>
		<property name="sqlInterceptorType">
			UPDATE,DELETE,INSERT
		</property>
		<property name="sqlInterceptorFile">/tmp/sql.txt</property>
	</system>
	
	<firewall>
		<whitehost>
			<host user="mycat" host="192.168.175.150"></host>
		</whitehost>
		<blacklist check="true">
			<property name="noneBaseStatementAllow">true</property>
			<property name="deleteWhereNoneCheck">true</property>
		</blacklist>
	</firewall>
	
	<user name="mycat" defaultAccount="true">
		<property name="usingDecrypt">1</property>
		<property name="password">cTwf23RrpBCEmalp/nx0BAKenNhvNs2NSr9nYiMzHADeEDEfwVWlI6hBDccJjNBJqJxnunHFp5ae63PPnMfGYA==</property>
		<property name="schemas">shop</property>
	</user>

</mycat:server>

In the above configuration, only allow the user access to Mycat mycat 192.168.175.150 on the host, DDL operations are not allowed, not allowed to execute delete statement where no condition.

Appendix: blacklist interception configuration details

Configuration Item The default value description
selelctAllow true Whether to allow the implementation of a SELECT statement
selectAllColumnAllow true Whether to allow the implementation of such a statement SELECT * FROM T. If set to false, not allowed select * from t, but select * from (select id, name from t) a. This option is defensive by calling select * obtain structural information data table.
selectIntoAllow true SELECT INTO queries whether to allow words
deleteAllow true Whether to allow a DELETE statement
updateAllow true Whether to allow an UPDATE statement
insertAllow true Whether to allow an INSERT statement
replaceAllow true Whether to allow the implementation of REPLACE statement
mergeAllow true Whether to allow the implementation of the MERGE statement, this is only useful in Oracle
callAllow true Whether to allow call syntax to call a stored procedure through the jdbc
setAllow true Whether to allow the use of SET syntax
truncateAllow true truncate statement is dangerous, enabled by default, if you need self-closing
createTableAllow true Allow to create table
alterTableAllow true Whether to allow execution Alter Table statement
dropTableAllow true Whether to allow modification table
commentAllow false Whether to allow the existence of comment statement, Oracle users need not worry, Wall can recognize the difference hints and comments
noneBaseStatementAllow false Other than statements whether to allow non-basic statements, disabled by default, this option can be shielded by DDL.
multiStatementAllow false Whether to allow time to perform multiple statements, disabled by default
useAllow true Whether to allow the use of statements executed mysql, the default open
describeAllow true Whether to allow statements describe the implementation of mysql, the default open
showAllow true Whether to allow the show to perform the mysql statement, the default open
commitAllow true Whether to allow the commit operation
rollbackAllow true Whether to allow the operations to perform roll back
## If selectIntoAllow, deleteAllow, updateAllow, insertAllow, mergeAllow are set to false, which is a source of read-only data. ##
Interception Configuration - Yong true condition
selectWhereAlwayTrueCheck true Check that the WHERE clause of the SELECT statement is never a true condition
selectHavingAlwayTrueCheck true Check whether the HAVING clause of a SELECT statement is never a true condition
deleteWhereAlwayTrueCheck true Check whether the DELETE statement WHERE clause is a condition never really
deleteWhereNoneCheck false DELETE statement without checking whether the conditions where this is risky, but not the type of SQL injection risk
updateWhereAlayTrueCheck true Check whether the UPDATE statement WHERE clause is a condition never really
updateWhereNoneCheck false Check the UPDATE statement is no where condition, this is risky, but not the type of SQL injection risk
conditionAndAlwayTrueAllow false Check the query conditions (WHERE / HAVING clause) contains AND Wing true condition
conditionAndAlwayFalseAllow false Check the query conditions (WHERE / HAVING clause) contains AND Wing false condition
conditionLikeTrueAllow true Check the query conditions (WHERE / HAVING clause) contains the conditions never really LIKE
Other intercept configuration
selectIntoOutfileAllow false SELECT ... INTO OUTFILE is allowed, this is mysql injection attacks common means, it is disabled by default
selectUnionCheck true Detection SELECT UNION
selectMinusCheck true Detection SELECT MINUS
selectExceptCheck true 检测 SELECT EXCEPT
selectIntersectCheck true 检测 SELECT INTERSECT
mustParameterized false 是否必须参数化,如果为 True,则不允许类似 WHERE ID = 1 这种不参数化的 SQL
strictSyntaxCheck true 是否进行严格的语法检测,Druid SQL Parser 在某些场景不能覆盖所有的SQL 语法,出现解析 SQL 出错,可以临时把这个选项设置为 false,同时把 SQL 反馈给 Druid 的开发者。
conditionOpXorAllow false 查询条件中是否允许有 XOR 条件。XOR 不常用,很难判断永真或者永假,缺省不允许。
conditionOpBitwseAllow true 查询条件中是否允许有"&"、"~"、"|"、"^"运算符。
conditionDoubleConstAllow false 查询条件中是否允许连续两个常量运算表达式
minusAllow true 是否允许 SELECT * FROM A MINUS SELECT * FROM B 这样的语句
intersectAllow true 是否允许 SELECT * FROM A INTERSECT SELECT * FROM B 这样的语句
constArithmeticAllow true 拦截常量运算的条件,比如说 WHERE FID = 3 - 1,其中"3 - 1"是常量运算表达式。
limitZeroAllow false 是否允许 limit 0 这样的语句
禁用对象检测配置
tableCheck true 检测是否使用了禁用的表
schemaCheck true 检测是否使用了禁用的 Schema
functionCheck true 检测是否使用了禁用的函数
objectCheck true 检测是否使用了“禁用对对象”
variantCheck true 检测是否使用了“禁用的变量”
readOnlyTables 指定的表只读,不能够在 SELECT INTO、DELETE、UPDATE、INSERT、MERGE 中作为"被修改表"出现
冰 河 博客专家
发布了1326 篇原创文章 · 获赞 2057 · 访问量 519万+
他的留言板 关注

Guess you like

Origin blog.csdn.net/l1028386804/article/details/104662017
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com