MySQL Master-Slaver Replication 使用 SSL 連線同步資料

續 MySQL Replication Master / Slaver 讓資料庫資料有備援

Master 端

確認 SSL 狀態，yes 代表有支援，DISABLED 則表示可以用 SSL 但還沒啟用

SHOW VARIABLES LIKE 'have_ssl';

+---------------+-----------+
| Variable_name | Value     |
+---------------+-----------+
| have_ssl      | DISABLED  |
+---------------+-----------+

建立憑證 SSL

mkdir /etc/mysql/
cd /etc/mysql/

# Create CA certificate
openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem -subj '/C=TW/ST=Taiwan/L=Taipei/CN=ca.ssorc.tw/[email protected]'

# Create server certificate, remove passphrase, and sign it
# server-cert.pem = public key, server-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem -subj '/C=TW/ST=Taiwan/L=Taipei/CN=server.ssorc.tw/[email protected]'
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

# Create client certificate, remove passphrase, and sign it
# client-cert.pem = public key, client-key.pem = private key
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem -subj '/C=TW/ST=Taiwan/L=Taipei/CN=client.ssorc.tw/[email protected]'
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

# verify them
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

設定 vi /etc/my.cnf

[mysqld]
ssl-ca=/etc/mysql/ca-cert.pem
ssl-cert=/etc/mysql/server-cert.pem
ssl-key=/etc/mysql/server-key.pem

service mysqld restart

查看 SSL 狀態，設定成功

SHOW VARIABLES LIKE '%ssl%';
+---------------+---------------------------------+
| Variable_name | Value                           |
+---------------+---------------------------------+
| have_openssl  | YES                             |
| have_ssl      | YES                             |
| ssl_ca        | /etc/mysql/ca-cert.pem          |
| ssl_capath    |                                 |
| ssl_cert      | /etc/mysql/server-cert.pem      |
| ssl_cipher    |                                 |
| ssl_key       | /etc/mysql/server-key.pem       |
+---------------+---------------------------------+

如果要強制使用 SSL 連線，在建立 replslave 使用者時要求 SSL

GRANT REPLICATION SLAVE ON discuz.* TO 'replslave'@'%' REQUIRE SSL;
FLUSH PRIVILEGES;

Slaver 端

如下操作 (同前一篇)，多加入 MASTER_SSL=1 及 指定憑證等檔案

stop slave;reset slave;
CHANGE MASTER TO  MASTER_HOST='10.10.10.137',  MASTER_USER='replslave',  MASTER_PASSWORD='replpass',  MASTER_LOG_FILE='mysqld-bin.000009',  MASTER_LOG_POS=34684 , MASTER_SSL=1 , MASTER_SSL_CA='/etc/mysql/ca-cert.pem', MASTER_SSL_CERT='/etc/mysql/client-cert.pem', MASTER_SSL_KEY='/etc/mysql/client-key.pem';
start slave;
show slave status\G;

slave status 狀態

           Master_SSL_Allowed: Yes
           Master_SSL_CA_File: /etc/mysql/ca-cert.pem
           Master_SSL_CA_Path:
              Master_SSL_Cert: /etc/mysql/client-cert.pem
            Master_SSL_Cipher:
               Master_SSL_Key: /etc/mysql/client-key.pem