MariaDB 10.3.14安装及配置ssl
下载MariaDB
请自行选择适合版本 https://mariadb.com/downloads/
or curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash
我用的CentOS6
wget https://downloads.mariadb.com/MariaDB/mariadb-10.3.14/yum/centos/mariadb-10.3.14-rhel-6-x86_64-rpms.tar
tar xf mariadb-10.3.14-rhel-6-x86_64-rpms.tar
./mariadb-10.3.14-rhel-6-x86_64-rpms/setup_repository
yum install MariaDB-server openssl -y
mkdir /home/mydata/{data,ibdata,log-bin,ssl,sock,pid,relay-bin} -p
通过OpenSSL 生成ca 证书
mkdir /home/mydata/ssl
cd /home/mydata/ssl
#C=国家代码(例如:中国CN),ST=省份(例如:北京BJ),L=城市(例如:北京BJ),O=组织(例如:baidu):,OU=单位(例如:baidu):,CN=域名(例如:*.baidu.com)\n"
C=CN
ST=BJ
L=BJ
O=xxx
OU=xxxx
CN=*.example.com
subject="/C="${C}"/ST="${ST}"/L="${L}"/O="${O}"/OU="${OU}"/CN="${CN}
CN_ca=*.example.ca
subject_ca="/C="${C}"/ST="${ST}"/L="${L}"/O="${O}"/OU="${OU}"/CN="${CN_ca}
# 根据提示填写各个字段, 但注意 Common Name 最好是有效根域名(如 zeali.net ),
# 并且不能和后来服务器证书签署请求文件中填写的 Common Name 完全一样,否则会
# 导致证书生成的时候出现
# error 18 at 0 depth lookup:self signed certificate 错误
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 365000 \
-key ca-key.pem -out ca-cert.pem -subj ${subject_ca}
# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 365000 \
-nodes -keyout server-key.pem -out server-req.pem -subj $subject
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 365000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 365000 \
-nodes -keyout client-key.pem -out client-req.pem -subj $subject
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 365000 \
-CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
修改启动脚本
vim /usr/lib/systemd/system/mariadb.service
#ProtectSystem=full改为↓
ProtectSystem=read-only
# Doesn't yet work properly with SELinux enabled
# NoNewPrivileges=true
# Prevent accessing /home, /root and /run/user
#ProtectHome=true改为↓
ProtectHome=false
配置文件
vim /etc/my.cnf
[client-mariadb]
port = 3306
socket = /home/mydata/sock/mysql.sock
[mysql]
no-auto-rehash
[mariadb]
bind-address = 0.0.0.0
user = mysql
port = 3306
socket = /home/mydata/sock/mysql.sock
#basedir = /usr/local/mariadb
datadir = /home/mydata/data
ssl-ca=/home/mydata/ssl/ca-cert.pem
ssl-cert=/home/mydata/ssl/server-cert.pem
ssl-key=/home/mydata/ssl/server-key.pem
#ssl-cipher=AES128+EECDH:AES128+EDH
open_files_limit = 1024
back_log = 600
max_connections = 800
max_connect_errors = 3000
table_cache = 614
external-locking = FALSE
max_allowed_packet = 8M
sort_buffer_size = 1M
join_buffer_size = 1M
thread_cache_size = 100
thread_concurrency = 16
query_cache_size = 2M
query_cache_limit = 2M
query_cache_min_res_unit = 2k
thread_stack = 192K
tmp_table_size = 2M
max_heap_table_size = 2M
long_query_time = 1
pid-file = /home/mydata/pid/mysql.pid
relay-log = /home/mydata/relay-bin/relay-bin
relay-log-info-file = /home/mydata/relay-bin/relay-log.info
binlog_cache_size = 1M
max_binlog_size = 2M
key_buffer_size = 16M
read_buffer_size = 1M
read_rnd_buffer_size = 1M
bulk_insert_buffer_size = 1M
lower_case_table_names = 1
skip-name-resolve
#slave-skip_errors = 1032,1062
#global_sql_slave_skip_counter = 1
#replicate-ignore-db=mysql
log-slave-updates
log-bin=/home/mydata/log-bin/mysql-bin
log-bin-index=/home/mydata/log-bin/mysql-bin.index
binlog_format=mixed
server-id = 1
innodb_data_home_dir = /home/mydata/ibdata
innodb_data_file_path = ibdata1:10M:autoextend:max:2G
#innodb_file_io_threads = 4
innodb_thread_concurrency = 8
innodb_log_group_home_dir = /home/mydata/ibdata
innodb_buffer_pool_size = 32M
#innodb_additional_mem_pool_size = 4M
innodb_log_file_size = 4M
innodb_log_buffer_size = 2M
innodb_flush_log_at_trx_commit = 2
innodb_lock_wait_timeout = 120
innodb_max_dirty_pages_pct = 90
innodb_file_per_table = 0
[mysqldump]
quick
max_allowed_packet = 16M
[mysql_safe]
log-error=/home/mydata/pid/mysqld.err
pid-file=/home/mydata/pid/mysqld.pid
修改目录权限并初始化数据库
chown -R mysql.mysql /home/mydata/
mysql_install_db --defaults-file=/etc/my.cnf --user=mysql --datadir=/home/mydata
启动MariaDB
systemctl restart mariadb
systemctl status mariadb
安全安装
mysql_secure_installation
重启MariaDB
/etc/init.d/mysql restart
创建测试用户
GRANT ALL PRIVILEGES ON *.* TO 'remote'@'localhost' IDENTIFIED BY 'password' REQUIRE SSL;
FLUSH PRIVILEGES;
测试用户
mysql -uremote --ssl-ca=/home/mydata/ssl/ca-cert.pem --ssl-cert=/home/mydata/ssl/client-cert.pem --ssl-key=/home/mydata/ssl/client-key.pem -ppassword
MariaDB [(none)]> show global variables like '%ssl%';
+---------------------+----------------------------------+
| Variable_name | Value |
+---------------------+----------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /home/mydata/ssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /home/mydata/ssl/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /home/mydata/ssl/server-key.pem |
| version_ssl_library | OpenSSL 1.0.1e-fips 11 Feb 2013 |
+---------------------+----------------------------------+
MariaDB [(none)]> \s
--------------
mysql Ver 15.1 Distrib 10.3.13-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 12
Current database:
Current user: remote@localhost
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384
Current pager: stdout
Using outfile: ''
Using delimiter: ;
Server: MariaDB
Server version: 10.3.14-MariaDB-log MariaDB Server
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /home/mydata/sock/mysql.sock
Uptime: 12 min 12 sec
Threads: 8 Questions: 15 Slow queries: 0 Opens: 17 Flush tables: 1 Open tables: 11 Queries per second avg: 0.020
--------------
ref
Certificate Creation with OpenSS : https://mariadb.com/kb/en/library/certificate-creation-with-openssl/
openssl 自建ca之脚本自动签发 : https://blog.csdn.net/do_bset_yourself/article/details/82758345
How to setup MariaDB SSL… : https://www.cyberciti.biz/faq/how-to-setup-mariadb-ssl-and-secure-connections-from-clients/
Secure MariaDB With SSL Support on Ubuntu 16.04 :https://www.vultr.com/docs/secure-mariadb-with-ssl-support-on-ubuntu-16-04