mysql-proxy代理內網數據庫

1、使用場景介紹
mysql-proxy的機器屬於代理機器也就是至關於白名單的審覈機器，經過防火牆規則，限制容許那些IP訪問本機的代理內網數據庫的端口，
有點：保證內網的數據庫不暴露在公網上，保證了數據庫的安全。
缺點：一旦mysql-proxy代理服務器掛掉了，就至關於應用都連接不上了數據庫。同時若是太多的應用程序經過mysql-proxy連接內網數據庫的話，mysql-proxy代理服務器必須也得保證足夠的帶寬，負責致使連接數據庫特別的慢，或者連接不上數據庫。

2、演示環境：
2臺物理機器，系統都是CentOS release 6.8 (Final)
一臺機器配置內外網卡：104.137.27.4 192.168.1.100 部署mysql-proxy 服務
一臺機器配置外網卡：104.137.27.3 部署mysql服務，並登錄此機器數據庫，受權一個帳戶容許104.137.27.4機器來連接此數據庫

grant all on mtoyydb.* to zytestuser01@'104.137.27.4' identified by 'dr3dfKj=DHee';

mysql> flush privileges

3、二進制安裝mysql-proxy:
下載安裝包：

wget https://downloads.mysql.com/archives/get/file/mysql-proxy-0.8.5-linux-glibc2.3-x86-64bit.tar.gz
tar zxf mysql-proxy-0.8.5-linux-el6-x86-64bit -C /usr/local/
cd /usr/local/
mv mysql-proxy-0.8.5-linux-glibc2.3-x86-64bit  mysql-proxy
mkdir /usr/local/mysql-proxy/{conf,log} -p

定義下環境變量：

[root@book sysconfig]# tail -3 /etc/profile
LUA_PATH="/usr/local/mysql-proxy/share/doc/mysql-proxy/?.lua"
export LUA_PATH
export PATH=$PATH:/usr/local/mysql-proxy/bin

4、mysql-proxy 參數介紹：
Application Options:
4.1應用參數介紹：
mysql-proxy --help-all

4.2mysql-proxy代理模塊參數介紹

4.3線上配置文件介紹：

[root@book mysql-proxy]# cat /usr/local/mysql-proxy/conf/mysql-proxy.conf 
[mysql-proxy]
user=www
daemon=true
keepalive=true
plugins=proxy,admin
###日誌級別
log-level=info
log-file=/usr/local/mysql-proxy/log/mysql-proxy.log
###本機ip地址
proxy-address=104.137.27.4:9196

##backend主   注意addresses
proxy-backend-addresses=104.137.27.3:3306

##proxy的管理用戶admin的IP和端口
admin-address=104.137.27.4:9197

###下面的三個參數必須設定，不然mysql-proxy服務啓動不了的
admin-username=zykjadmin
admin-password=Zyjkwestos
###admin的lua腳本地址;
admin-lua-script=/usr/local/mysql-proxy/lib/mysql-proxy/lua/admin.lua

5、啓動mysql-proxy

/usr/local/mysql-proxy/bin/mysql-proxy --defaults-file=/usr/local/mysql-proxy/conf/mysql-proxy.conf

登錄mysql-proxy管理帳戶，查看反向代理管理列表
[root@book ~]# mysql -uzykjadmin -pZyjkwestos -h104.137.27.4 --port=9197

Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.99-agent-admin

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> SELECT * FROM backends;
+-------------+------------------+-------+------+------+-------------------+
| backend_ndx | address          | state | type | uuid | connected_clients |
+-------------+------------------+-------+------+------+-------------------+
|           1 | 104.137.27.3:3306 | up    | rw   | NULL |                 2 |
+-------------+------------------+-------+------+------+-------------------+
1 row in set (0.00 sec)

MySQL [(none)]> SELECT * FROM help;
+------------------------+------------------------------------+
| command                | description                        |
+------------------------+------------------------------------+
| SELECT * FROM help     | shows this help                    |
| SELECT * FROM backends | lists the backends and their state |
+------------------------+------------------------------------+
2 rows in set (0.00 sec)

MySQL [(none)]>

6、經過sqlyog來登錄反向代理數據庫

登錄成功：

7、MySQL-porxy代理服務器防火牆的配置策略：

[root@book sysconfig]# cat /etc/sysconfig/iptables
#Generated by iptables-save v1.4.7 on Thu Mar  2 14:32:03 2017
*filter
:INPUT ACCEPT [358:20023]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2491:287941]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4567 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 80,81,443 -m state --state NEW -j ACCEPT
-A INPUT -s 104.137.27.6/32 -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
-A INPUT -s 304.37.57.45/32 -p tcp -m multiport --dports 9196 -j ACCEPT
-A INPUT -s 204.17.47.245/32 -p tcp -m multiport --dports 21,10050,3306 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9196 -j DROP
##-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
-A INPUT -j DROP
COMMIT
#Completed on Thu Mar  2 14:32:03 2017

7.1配置策略解釋：

-```
A INPUT -p tcp -m tcp --dport 4567 -j ACCEPT
此處6029至關於sshd的登錄端口號

-A INPUT -p tcp -m multiport --dports 80,81,443 -m state --state NEW -j ACCEPT
放行80，81和443業務端口
-A INPUT -s 104.137.27.6/32 -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
容許特定的IP104.137.27.6到本地服務器上經過rsync拉取數據

-A INPUT -s 304.37.57.45/32 -p tcp -m multiport --dports 9196 -j ACCEPT
容許指定的IP304.37.57.45 來連接MySQL-proxy服務的9196端口，從而連接到內網的數據庫

-A INPUT -s 204.17.47.245/32 -p tcp -m multiport --dports 21,10050,3306 -j ACCEPT
解釋:204.17.47.245 機器上部署-server,經過撥號登錄-server，而後在能夠登錄ftp,登錄3306數據庫服務

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
解釋：對ping作限制策略

-A INPUT -j DROP
解釋：其餘的客戶端IP地址一概禁止訪問本服務器上的服務的端口

到此處介紹完畢，聽說ucloud的Udb就是採用這樣的數據庫的架構模式