基於SSL實現Mysql加密主從

Mysql主從複製是明文傳輸的，對於一些特殊的場合是絕對不容許的，數據的安全性會受到威脅，在這裏，簡單的構建基於SSL的mysql主從複製

Ps:這裏採用master-mysql爲CA服務器

主端生成CA自簽名證書

# mkdir -p /etc/my.cnf.d/ssl
# cd /etc/my.cnf.d/ssl/
# openssl genrsa 2048 > cakey.pem
Generating RSA private key, 2048 bit long modulus
............+++
.+++
e is 65537 (0x10001)

# openssl req -new -x509 -key cakey.pem -days 3650 -out cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:bxy
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:ca.bxy.com
Email Address []:

[root@master-mysql ssl]# openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr    #生成matsre私鑰以及證書申請

[root@master-mysql ssl]# openssl x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt    #給master端頒發證書

 給slave頒發證書

[root@slave-mysql ssl]# openssl x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt

 【mysql主從配置】

ps:在主從兩端寫上對應證書的路徑

Master端配置：

[root@master-mysql ~]# vim /etc/my.cnf   

[root@master-mysql ~]# systemctl restart mariadb

MariaDB [(none)]> grant replication slave on *.* to 'repluser'@'192.168.2.162' identified by '123.com' require ssl;    #建立從庫複製用戶，並僅容許經過ssl加密鏈接
Query OK, 0 rows affected (0.00 sec)

 Slave端配置

[root@slave-mysql ~]# vim /etc/my.cnf

 

[root@slave-mysql ~]# systemctl restart mariadb