热门标签
热门文章
- 1使用polar()函数绘制霍兰德职业兴趣测试雷达图,有标题有图例_绘制自己的职业倾向雷达图
- 2华为运行APK时的ART空指针间接引用报错问题_endactivitytransaction: margin state not match
- 3计算机视觉:VGGNet网络详解
- 4并行计算(一):GPU与CPU比较以及并行计算初步学习_cpu 与 gpu计算
- 5【Google Play】正式版上架流程 ( 创建版本 | 设置国家地区 | 发布正式版 )
- 6移动应用程序设计基础——用户登录实验_android studio用户登录及注册 实验报告
- 7linux7双网卡设置,Centos 7 静态IP和双网卡配置
- 8C# EntityFrameworkCore 分页
- 9python写入excel表格数据绘制图表_python写入excel(xlswriter)--生成图表
- 10RFC1191 路径MTU发现
当前位置: article > 正文
Nginx代理Mysql端口并开启SSL
作者:我家自动化 | 2024-03-13 21:42:14
赞
踩
Nginx代理Mysql端口并开启SSL
Nginx代理Mysql端口并开启SSL
第一步:配置nginx的stream
- 在安装nginx时需要安装stream模块,stream配置如下:
#> ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-stream --with-stream_ssl_module
- 1
注:stream模块只有nginx1.9之后的版本才支持
- nginx安装完成后stream模块的配置信息如下:
stream { # 负载均衡 upstream mysqlBackend { hash $remote_addr consistent; server 127.0.0.1:61666; # server 192.168.0.10:3306 weight=5; # server 192.168.0.11:3306 max_fails=3 fail_timeout=30s; } # 对外提供端口映射的服务配置,同时也支持SSL数据加密传输 server { # 监听端口,可自定义 listen 56789; # 反向代理,负载均衡 proxy_pass mysqlBackend; # 其他配置根据需要添加 } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
注:stream和http同级,stream中的配置可参考http的部分配置。
第二步:开启Mysql的SSL
- 登陆Mysql检查是否开启SSL
#> mysql -uroot -p # 直接回车 mysql> show variables like '%ssl%'; # 查看mysql是否开启ssl +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | | +---------------+----------+ 9 rows in set (0.00 sec)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
注:当have_opensslhe have_ssl为“DISABLED”时,表示当前Mysql未开启SSL
- 如果没有开启SSL,开启SSL
#> cd /usr/local/mysql/bin # 进入mysql的bin路径 #> ./mysql_ssl_rsa_setup # 执行mysql开启SSL证书 Generating a 2048 bit RSA private key .......................+++ ............................................................................+++ writing new private key to 'ca-key.pem' ----- Generating a 2048 bit RSA private key ...............................................+++ .....+++ writing new private key to 'server-key.pem' ----- Generating a 2048 bit RSA private key .............+++ ...................................+++ writing new private key to 'client-key.pem' ----- #> chown -R mysql:mysql *.pem # 给mysql生成的证书更换用户组
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
注:证书生成路径为:mysql安装路径下的data目录中,后缀为pem的文件
- Mysql生成的pem文件说明
ca.pem Self-signed CA certificate ca-key.pem CA private key server-cert.pem Server certificate server-key.pem Server private key client-cert.pem Client certificate client-key.pem Client private key 启动时产生RSA密钥对 private_key.pem Private member of private/public key pair public_key.pem Public member of private/public key pair 参考http://dev.mysql.com/doc/refman/5.7/en/creating-ssl-rsa-files-using-mysql.html 使用ssl连接http://dev.mysql.com/doc/refman/5.7/en/using-ssl-connections.html 客户端证书导出 # sz ca.pem # sz client-cert.pem # sz client-key.pem
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 在my.cnf文件中配置SSL
[mysqld]
ssl-ca=/usr/local/mysql/data/ca.pem
ssl-cert=/usr/local/mysql/data/server-cert.pem
ssl-key=/usr/local/mysql/data/server-key.pem
[client]
ssl-ca=/usr/local/mysql/data/ca.pem
ssl-cert=/usr/local/mysql/data/client-cert.pem
ssl-key=/usr/local/mysql/data/client-key.pem
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
5.重新启动mysql服务,并查看mysql的SSL开启情况
#> systemctl start mysqld # 重启mysql服务器 #> mysql -uroot -p # 登陆mysql数据库 mysql> show variables like '%ssl%'; # 查询mysql的ssl是否开启 +---------------+---------------------------------------+ | Variable_name | Value | +---------------+---------------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | /usr/local/mysql/data/ca.pem | | ssl_capath | | | ssl_cert | /usr/local/mysql/data/server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | /usr/local/mysql/data/server-key.pem | +---------------+---------------------------------------+ 9 rows in set (0.00 sec)
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
第三步:指定Mysql用户使用SSL访问
#> GRANT ALL PRIVILEGES ON *.* TO '用户名'@'%' IDENTIFIED BY '密码' REQUIRE SSL; # 创建只能用ssl访问的用户
#> FLUSH PRIVILEGES; # 刷新数据,使其生效
- 1
- 2
客户端验证
λ mysql -h172.16.8.244 -P61666 -ussltest -p Enter password: ******** Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.7.27-log MySQL Community Server (GPL) Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> status; -------------- mysql Ver 14.14 Distrib 5.7.28, for Win64 (x86_64) Connection id: 3 Current database: Current user: ssltest@172.16.8.18 SSL: Cipher in use is DHE-RSA-AES256-SHA Using delimiter: ; Server version: 5.7.27-log MySQL Community Server (GPL) Protocol version: 10 Connection: 172.16.8.244 via TCP/IP Server characterset: utf8mb4 Db characterset: utf8mb4 Client characterset: gbk Conn. characterset: gbk TCP port: 61666 Uptime: 18 min 11 sec Threads: 1 Questions: 10 Slow queries: 0 Opens: 116 Flush tables: 1 Open tables: 109 Queries per second avg: 0.009 --------------
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
第四步:在应用中配置JDBC连接
指定用户使用SSL进行数据库连接后,需要在对应的JDBC连接上增加“ &useSSL=true ”配置,否则mysql将拒绝连接。例如:
jdbc:mysql://127.0.0.1:3306/[数据用户名]?serverTimezone=GMT%2B8&characterEncoding=utf-8&useSSL=false&failOverReadOnly=false&autoReconnect=true&roundRobinLoadBalance=true&nullCatalogMeansCurrent=true
- 1
第五步:Mysql客户端工具
需要在客户端工具类上设置上【使用SSL】连接数据库,如Navicat工具上如下图:
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/230726
推荐阅读
相关标签
