基於SSL的mysql(MariaDB)主從複製

時間 2020-07-24

標籤基於 ssl mysql mariadb 主從複製欄目 SSL 简体版

原文原文鏈接

1、前言mysql

備份數據庫是生產環境中的首要任務，重中之重，有時候不得不經過網絡進行數據庫的複製，這樣就須要保證數據在網絡傳輸過程當中的安全性，所以使用基於SSL的複製會大增強數據的安全性
sql

2、準備工做數據庫

一、主從服務器時間同步vim

[root@master ~]# crontab -e
*/30 * * * * /usr/sbin/ntpdate 172.16.0.1 &>/dev/null

二、mysql說明安全

（1）主服務器bash

hostname:master IP：172.16.7.202
服務器

（2）從服務器
網絡

hostname:slave IP：172.16.7.250
ide

（3）數據目錄ui

/mydata/data

（4）二進制日誌目錄

/mydata/binlogs

（5）中繼日誌目錄

/mydata/relaylogs

3、SSL主從同步的實現

一、master（172.16.7.202）安裝後配置文件

thread_concurrency = 4
datadir = /mydata/data    #數據目錄
log-bin=/mydata/binlogs/master-bin
relay-log=/mydata/relaylogs/relay
sync_binlog = 1    #設定每1秒鐘同步一次緩衝中的數據到日誌文件中
binlog_format=mixed    #二進制日誌格式爲混合模式
server-id       = 1       #主服務器的server-id=1,從的等於2
#
#
#slave（172.16.7.250）同master

二、將master（172.16.7.202）作爲CA服務器

[root@master ~]# cd /etc/pki/CA
[root@master CA]#
[root@master CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........................................+++
..................+++
e is 65537 (0x10001)
[root@master CA]#
[root@master CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:sina
Organizational Unit Name (eg, section) []:mysql
Common Name (eg, your name or your server's hostname) []:master.sina.com
Email Address []:
[root@master CA]# touch index.txt serial crlnumber
[root@master CA]# echo 01 > serial

三、爲master（172.16.7.202）簽發證書

[root@master CA]# mkdir /usr/local/mysql/ssl
[root@master CA]# cd /usr/local/mysql/ssl
[root@master ssl]# (umask 077;openssl genrsa -out master.key 2048)
Generating RSA private key, 2048 bit long modulus
..........+++
............................................................+++
e is 65537 (0x10001)
[root@master ssl]#
[root@master ssl]# openssl req -new -key master.key -out master.csr -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:sina
Organizational Unit Name (eg, section) []:mysql
Common Name (eg, your name or your server's hostname) []:master.sina.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@master ssl]#
[root@master ssl]# openssl ca -in master.csr -out master.crt -days 36500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  3 13:34:58 2014 GMT
            Not After : Apr  9 13:34:58 2114 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = sina
            organizationalUnitName    = mysql
            commonName                = master.sina.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                62:EF:37:1D:96:FF:8A:89:47:09:2D:93:74:42:14:BF:8E:AC:51:49
            X509v3 Authority Key Identifier:
                keyid:6B:73:D6:FE:81:13:2C:0E:EC:61:EE:F7:6F:92:91:6D:82:37:A0:11
Certificate is to be certified until Apr  9 13:34:58 2114 GMT (36500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

四、slave生成證書申請請求

[root@slave ~]# mkdir /usr/local/mysql/ssl
[root@slave ~]# cd /usr/local/mysql/ssl
[root@slave ssl]# (umask 077;openssl genrsa -out slave.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................................................+++
........................................+++
e is 65537 (0x10001)
[root@slave ssl]#
[root@slave ssl]# openssl req -new -key slave.key -out slave.csr -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:sina
Organizational Unit Name (eg, section) []:mysql
Common Name (eg, your name or your server's hostname) []:slave.sina.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@slave ssl]#
[root@slave ssl]#
[root@slave ssl]# scp slave.csr root@172.16.7.202:/root

五、爲slave（172.16.7.250）簽發證書

[root@master ~]# openssl ca -in slave.csr -out slave.crt -days 36500
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: May  3 13:43:28 2014 GMT
            Not After : Apr  9 13:43:28 2114 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = sina
            organizationalUnitName    = mysql
            commonName                = slave.sina.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                20:CB:55:9C:D0:7A:F0:25:70:AC:84:2B:8E:F4:24:FB:1F:51:48:9D
            X509v3 Authority Key Identifier:
                keyid:6B:73:D6:FE:81:13:2C:0E:EC:61:EE:F7:6F:92:91:6D:82:37:A0:11
Certificate is to be certified until Apr  9 13:43:28 2114 GMT (36500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@master ~]#
[root@master ~]#
[root@master ~]# scp slave.crt root@172.16.7.250:/usr/local/mysql/ssl/

六、爲master及slave提供CA的證書

[root@master ~]# cp /etc/pki/CA/cacert.pem /usr/local/mysql/ssl/
[root@master ~]# scp /etc/pki/CA/cacert.pem root@172.16.7.250:/usr/local/mysql/ssl/

七、修改master和slave的屬主、屬組爲"mysql"

[root@master ~]# chown -R mysql.mysql /usr/local/mysql/ssl/
[root@master ~]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1330 May  3 21:48 cacert.pem
-rw-r--r-- 1 mysql mysql 4465 May  3 21:35 master.crt
-rw-r--r-- 1 mysql mysql 1009 May  3 21:33 master.csr
-rw------- 1 mysql mysql 1675 May  3 21:32 master.key
###
###
[root@slave ssl]# chown -R mysql.mysql /usr/local/mysql/ssl/
[root@slave ssl]# ll /usr/local/mysql/ssl/
total 20
-rw-r--r-- 1 mysql mysql 1330 May  3 21:49 cacert.pem
-rw-r--r-- 1 mysql mysql 4460 May  3 21:44 slave.crt
-rw-r--r-- 1 mysql mysql 1005 May  3 21:40 slave.csr
-rw------- 1 mysql mysql 1679 May  3 21:38 slave.key

八、修改mysql配置文件開啓SSL加密功能

[root@master ~]# vim /etc/my.cnf
[mysqld]
ssl
ssl_ca = /usr/local/mysql/ssl/cacert.pem
ssl_key = /usr/local/mysql/ssl/master.key
ssl_cert = /usr/local/mysql/ssl/master.crt
[root@master ~]# service mysqld restart
#
#
[root@slave ~]# vim /etc/my.cnf
[mysqld]
ssl
ssl_ca = /usr/local/mysql/ssl/cacert.pem
ssl_key = /usr/local/mysql/ssl/slave.key
ssl_cert = /usr/local/mysql/ssl/slave.crt
[root@slave ~]# service mysqld restart

九、在master上驗證SSL加密功能開啓並建立基於密鑰認證用戶

[root@master ~]# mysql
MariaDB [(none)]> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | NO                              |
| have_ssl      | YES                             |
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath    |                                 |
| ssl_cert      | /usr/local/mysql/ssl/master.crt |
| ssl_cipher    |                                 |
| ssl_crl       |                                 |
| ssl_crlpath   |                                 |
| ssl_key       | /usr/local/mysql/ssl/master.key |
+---------------+---------------------------------+
MariaDB [(none)]>
MariaDB [(none)]> grant replication slave,replication client on *.* to 'repluser'@'172.16.%.%' identified by 'repluser' require ssl;
MariaDB [(none)]> flush privileges;

十、查看master狀態信息

MariaDB [(none)]> show master status;
+-------------------+----------+--------------+------------------+
| File              | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| master-bin.000002 |      652 |              |                  |
+-------------------+----------+--------------+------------------+

十一、驗證slave開啓SSL加密功能

[root@slave ~]# mysql
MariaDB [(none)]>
MariaDB [(none)]> show variables like '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | NO                              |
| have_ssl      | YES                             |
| ssl_ca        | /usr/local/mysql/ssl/cacert.pem |
| ssl_capath    |                                 |
| ssl_cert      | /usr/local/mysql/ssl/slave.crt  |
| ssl_cipher    |                                 |
| ssl_crl       |                                 |
| ssl_crlpath   |                                 |
| ssl_key       | /usr/local/mysql/ssl/slave.key  |
+---------------+---------------------------------+

十二、slave鏈接master

MariaDB [(none)]> change master to master_host='172.16.7.202',master_user='repluser',master_password='repluser',master_log_file='master-bin.000002',master_log_pos=652,master_ssl=1,master_ssl_ca='/usr/local/mysql/ssl/cacert.pem',master_ssl_cert='/usr/local/mysql/ssl/slave.crt',master_ssl_key='/usr/local/mysql/ssl/slave.key';
Query OK, 0 rows affected (0.06 sec)
MariaDB [(none)]>
MariaDB [(none)]>
MariaDB [(none)]> start slave;
Query OK, 0 rows affected (0.04 sec)
MariaDB [(none)]>
MariaDB [(none)]>
MariaDB [(none)]> show slave status\G;
*************************** 1. row ***************************
               Slave_IO_State: Waiting for master to send event
                  Master_Host: 172.16.7.202
                  Master_User: repluser
                  Master_Port: 3306
                Connect_Retry: 60
              Master_Log_File: master-bin.000002
          Read_Master_Log_Pos: 652
               Relay_Log_File: relay.000002
                Relay_Log_Pos: 536
        Relay_Master_Log_File: master-bin.000002
             Slave_IO_Running: Yes
            Slave_SQL_Running: Yes
              Replicate_Do_DB:
          Replicate_Ignore_DB:
           Replicate_Do_Table:
       Replicate_Ignore_Table:
      Replicate_Wild_Do_Table:
  Replicate_Wild_Ignore_Table:
                   Last_Errno: 0
                   Last_Error:
                 Skip_Counter: 0
          Exec_Master_Log_Pos: 652
              Relay_Log_Space: 823
              Until_Condition: None
               Until_Log_File:
                Until_Log_Pos: 0
           Master_SSL_Allowed: Yes
           Master_SSL_CA_File: /usr/local/mysql/ssl/cacert.pem
           Master_SSL_CA_Path:
              Master_SSL_Cert: /usr/local/mysql/ssl/slave.crt
            Master_SSL_Cipher:
               Master_SSL_Key: /usr/local/mysql/ssl/slave.key
        Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
                Last_IO_Errno: 0
                Last_IO_Error:
               Last_SQL_Errno: 0
               Last_SQL_Error:
  Replicate_Ignore_Server_Ids:
             Master_Server_Id: 1
               Master_SSL_Crl: /usr/local/mysql/ssl/cacert.pem
           Master_SSL_Crlpath:
                   Using_Gtid: No
                  Gtid_IO_Pos:
1 row in set (0.00 sec)

4、同步驗證

一、在master上新建數據庫hlbrc

MariaDB [(none)]> create database hlbrc;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| hlbrc              |
| information_schema |
| mysql              |
| performance_schema |
| test               |
+--------------------+

二、在slave上驗證

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| hlbrc              |
| information_schema |
| mysql              |
| performance_schema |
| test               |
+--------------------+

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。