首页 > 资讯 > 数据库 >MySQL基于SSL协议的主从复制

789

分享到

MySQL基于SSL协议的主从复制

2024-04-02 19:04:59 789人浏览安东尼

摘要

数据对于大部分公司来说都是最重要的部分，而Mysql的服务器在同步数据时，默认是使用明文进行传输，所以接下来就来说说mysql基于SSL协议进行密文传输数据的主从复制模式。逻辑拓

数据对于大部分公司来说都是最重要的部分，而Mysql的服务器在同步数据时，默认是使用明文进行传输，所以接下来就来说说mysql基于SSL协议进行密文传输数据的主从复制模式。

逻辑拓扑：

MySQL基于SSL协议的主从复制

接下来的实验中Master节点服务器即使Master节点数据库服务器，同时也是CA。

环境准备：

一、主从服务器时间需要同步：

[root@node9 ~]# chronyc sources

210 Number of sources = 1

MS Name/IP address Stratum Poll Reach LastRx Last sample

===============================================================================

^* server.magelinux.com 3 7 377 82 +71us[ +148us] +/- 100ms

[root@node10 ~]# chronyc sources

210 Number of sources = 1

MS Name/IP address Stratum Poll Reach LastRx Last sample

===============================================================================

^* server.magelinux.com 3 7 377 95 +116us[ +155us] +/- 100ms

二、主节点node9搭建好CA环境：

[root@node9 ~]# cd /etc/pki/CA

[root@node9 CA]# touch index.txt serial

[root@node9 CA]# echo 01 > serial

[root@node9 CA]# (umask 077;openssl genrsa -out cakey.pem 2048)

[root@node9 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter infORMation that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BeiJing

Locality Name (eg, city) [Default City]:BeiJing

Organization Name (eg, company) [Default Company Ltd]:hisen

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:ca.hisen.com

Email Address []:admin.com

三、主节点node9生成证书申请，并由CA进行签署：

[root@node9 ~]# cd /var/lib/mysql/ssl/

[root@node9 ssl]# (umask 077;openssl genrsa -out master.key 2048)

[root@node9 ssl]# openssl req -new -key master.key -out master.csr -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BeiJing

Locality Name (eg, city) [Default City]:BeiJing

Organization Name (eg, company) [Default Company Ltd]:hisen

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:master.hisen.com

Email Address []:master.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge passWord []:

An optional company name []:

[root@node9 ssl]# openssl ca -in master.csr -out master.crt -days 2048

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Feb 22 11:21:11 2017 GMT

Not After : Oct 2 11:21:11 2022 GMT

Subject:

countryName = CN

stateOrProvinceName = BeiJing

organizationName = hisen

organizationalUnitName = Ops

commonName = master.hisen.com

emailAddress = master.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

2B:1D:F7:18:00:89:1B:CB:6D:09:59:4B:5E:03:78:BA:60:6A:62:BB

X509v3 Authority Key Identifier:

keyid:C4:30:C5:87:EB:80:6C:87:AE:60:71:FC:E9:79:1F:5A:31:57:5B:88

Certificate is to be certified until Oct 2 11:21:11 2022 GMT (2048 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

四、从节点node10生成证书，并由CA进行签署：

[root@node10 ~]# cd /var/lib/mysql/ssl

[root@node10 ssl]# (umask 077;openssl genrsa -out slave.key 2048)

Generating RSA private key, 2048 bit long modulus

..+++

...........................................................+++

e is 65537 (0x10001)

[root@node10 ssl]# (umask 077;openssl genrsa -out slave.key 2048)

Generating RSA private key, 2048 bit long modulus

..+++

...........................................................+++

e is 65537 (0x10001)

[root@node10 ssl]# openssl req -new -key slave.key -out slave.csr -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BeiJing

Locality Name (eg, city) [Default City]:BeiJing

Organization Name (eg, company) [Default Company Ltd]:hisen

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:slave.hisen.com

Email Address []:slave.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@node10 ssl]# scp slave.csr 192.168.17.90:/root

[root@node9 ~]# openssl ca -in slave.csr -out slave.crt -days 3650

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 2 (0x2)

Validity

Not Before: Feb 22 11:27:17 2017 GMT

Not After : Feb 20 11:27:17 2027 GMT

Subject:

countryName = CN

stateOrProvinceName = BeiJing

organizationName = hisen

organizationalUnitName = Ops

commonName = slave.hisen.com

emailAddress = slave.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

68:31:D7:B1:03:5A:C0:6E:A3:58:4D:67:53:AC:F7:F5:1E:2A:19:4E

X509v3 Authority Key Identifier:

keyid:C4:30:C5:87:EB:80:6C:87:AE:60:71:FC:E9:79:1F:5A:31:57:5B:88

Certificate is to be certified until Feb 20 11:27:17 2027 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@node9 ~]# scp slave.crt 192.168.17.100:/var/lib/mysql/ssl/

五、将node9的CA证书复制给Master和Slave各一份：

[root@node9 ~]# cp /etc/pki/CA/cacert.pem /var/lib/mysql/ssl/ #复制CA证书到本地

[root@node9 ~]# scp /etc/pki/CA/cacert.pem 192.168.17.100:/var/lib/mysql/ssl/ #复制CA到node10

六、修改/var/lib/mysql/ssl/下文件的属主属组以及给予最小权限：

[root@node9 ~]# chown -R mysql:mysql /var/lib/mysql/ssl/ ; chmod 600 /var/lib/mysql/ssl/*

[root@node10 ~]# chown -R mysql:mysql /var/lib/mysql/ssl/ ; chmod 600 /var/lib/mysql/ssl/*

MySQL文件配置：

Master：

[mysqld]

datadir=/var/lib/mysql

Socket=/var/lib/mysql/mysql.sock

symbolic-links=0

skip_name_resolve=ON

innodb_file_per_table=1

server_id=2

log-bin=master-log

ssl #开启SSL

ssl_ca=/var/lib/mysql/ssl/cacert.pem #Master节点CA证书存放位置

ssl_cert=/var/lib/mysql/ssl/master.crt #Master节点证书

ssl_key=/var/lib/mysql/ssl/master.key #Master节点key

Slave：

[mysqld]

datadir=/var/lib/mysql

socket=/var/lib/mysql/mysql.sock

symbolic-links=0

skip_name_resolve=ON

innodb_file_per_table=ON

server_id=3

relay-log=relay-log

read-only=1

ssl #开启SSL

ssl_ca=/var/lib/mysql/ssl/cacert.pem #Slave节点CA证书存放位置

ssl_cert=/var/lib/mysql/ssl/slave.crt #Slave节点证书

ssl_key=/var/lib/mysql/ssl/slave.key #Slave节点key

MySQL服务配置：

一、启动MySQL服务，并查看MySQL中SSL信息：

[root@node9 ~]# systemctl start mariadb.service #启动node9的MySQL服务

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE '%ssl%'; #查看node9的SSL信息

+---------------+-------------------------------+

| Variable_name | Value |

+---------------+-------------------------------+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | /var/lib/mysql/ssl/cacert.pem |

| ssl_capath | |

| ssl_cert | /var/lib/mysql/ssl/master.crt |

| ssl_cipher | |

| ssl_key | /var/lib/mysql/ssl/master.key |

+---------------+-------------------------------+

7 rows in set (0.01 sec)

[root@node10 ssl]# systemctl start mariadb.service #启动node10的MySQL服务

MariaDB [(none)]> SHOW GLOBAL VARIABLES LIKE '%ssl%'; #查看node10的SSL信息

+---------------+-------------------------------+

| Variable_name | Value |

+---------------+-------------------------------+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | /var/lib/mysql/ssl/cacert.pem |

| ssl_capath | |

| ssl_cert | /var/lib/mysql/ssl/slave.crt |

| ssl_cipher | |

| ssl_key | /var/lib/mysql/ssl/slave.key |

+---------------+-------------------------------+

7 rows in set (0.00 sec)

二、Master节点授权一个能用于SSL协议进行复制信息的用户，并测试用户：

MariaDB [(none)]> GRANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO 'userssl'@'192.168.17.%' IDENTIFIED BY 'passwordssl' REQUIRE SSL;

Query OK, 0 rows affected (0.00 sec) #授权一个仅能够通过SSL复制数据的用户

MariaDB [(none)]> FLUSH PRIVILEGES; #刷新权限

Query OK, 0 rows affected (0.00 sec)

[root@node9 ~]# mysql -uuserssl -ppasswordssl -h292.168.17.90 \

> --ssl_ca=/var/lib/mysql/ssl/cacert.pem \

> --ssl_cert=/var/lib/mysql/ssl/master.crt \

> --ssl_key=/var/lib/mysql/ssl/master.key #测试用户能否使用SSL协议登录

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 4

Server version: 5.5.44-MariaDB-log MariaDB Server

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

三、配置Slave节点，指向Master节点：

Master节点当前正在使用的binlog文件：master-log.000004，以及binlog位置：512

MariaDB [(none)]> SHOW MASTER STATUS;

+-------------------+----------+--------------+------------------+

+-------------------+----------+--------------+------------------+

| master-log.000004 | 512 | | |

+-------------------+----------+--------------+------------------+

1 row in set (0.00 sec)

Slave节点配置：

MariaDB [(none)]> CHANGE MASTER TO

-> MASTER_HOST='192.168.17.90',

-> MASTER_USER='userssl',

-> MASTER_PASSWORD='passwordssl',

-> MASTER_LOG_FILE='master-log.000004',

-> MASTER_LOG_POS=512,

-> MASTER_SSL=1,

-> MASTER_SSL_CA='/var/lib/mysql/ssl/cacert.pem',

-> MASTER_SSL_CERT='/var/lib/mysql/ssl/slave.crt',

-> MASTER_SSL_KEY='/var/lib/mysql/ssl/slave.key';

Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> START SLAVE; 启动SLAVE功能

Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> SHOW SLAVE STATUS\G; 查看SLAVE状态信息

*************************** 1. row ***************************

Slave_IO_State: Waiting for master to send event

Master_Host: 192.168.17.90

Master_User: userssl

Master_Port: 3306

Connect_Retry: 60

Master_Log_File: master-log.000004

Read_Master_Log_Pos: 512

Relay_Log_File: relay-log.000002

Relay_Log_Pos: 530

Relay_Master_Log_File: master-log.000004

Slave_IO_Running: Yes

Slave_SQL_Running: Yes

Replicate_Do_DB:

Replicate_Ignore_DB:

Replicate_Do_Table:

Replicate_Ignore_Table:

Replicate_Wild_Do_Table:

Replicate_Wild_Ignore_Table:

Last_Errno: 0

Last_Error:

Skip_Counter: 0

Exec_Master_Log_Pos: 512

Relay_Log_Space: 818

Until_Condition: None

Until_Log_File:

Until_Log_Pos: 0

Master_SSL_Allowed: Yes

Master_SSL_CA_File: /var/lib/mysql/ssl/cacert.pem

Master_SSL_CA_Path:

Master_SSL_Cert: /var/lib/mysql/ssl/slave.crt

Master_SSL_Cipher:

Master_SSL_Key: /var/lib/mysql/ssl/slave.key

Seconds_Behind_Master: 0

Master_SSL_Verify_Server_Cert: No

Last_IO_Errno: 0

Last_IO_Error:

Last_SQL_Errno: 0

Last_SQL_Error:

Replicate_Ignore_Server_Ids:

Master_Server_Id: 2

1 row in set (0.00 sec)

四、测试主从同步数据：

Master节点：

MariaDB [(none)]> CREATE DATABASE hisendb; node9主节点创建hisendb数据库

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> USE hisendb;

Database changed

MariaDB [hisendb]> CREATE TABLE friends(id INT UNSIGNED PRIMARY KEY NOT NULL,Name VARCHAR(20) NOT NULL,Age TINYINT,Gender ENUM('F','M'));

Query OK, 0 rows affected (0.01 sec) #在hisendb数据库中创建friends表

MariaDB [hisendb]> INSERT INTO friends VALUES (1,'Xu He',25,'M'),(2,'Xu Mingying',27,'F'),(3,'Tian Tao',26,'M'),(4,'LiangJuntao',28,'M');

Query OK, 4 rows affected (0.00 sec) #在friends表中插入数据

Records: 4 Duplicates: 0 Warnings: 0

MariaDB [hisendb]> SELECT * FROM friends; #查看结果

+----+--------------+------+--------+

| id | Name | Age | Gender |

+----+--------------+------+--------+

| 1 | Xu He | 25 | M |

| 2 | Xu Mingying | 27 | F |

| 3 | Tian Tao | 26 | M |

| 4 | Liang Juntao | 28 | M |

+----+--------------+------+--------+

4 rows in set (0.00 sec)

Slave节点：

MariaDB [(none)]> USE hisendb;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

MariaDB [hisendb]> SELECT * FROM friends; #在从节点可以查看主节点写入的数据

+----+--------------+------+--------+

| id | Name | Age | Gender |

+----+--------------+------+--------+

| 1 | Xu He | 25 | M |

| 2 | Xu Mingying | 27 | F |

| 3 | Tian Tao | 26 | M |

| 4 | Liang Juntao | 28 | M |

+----+--------------+------+--------+

4 rows in set (0.00 sec)

由上可知，主从已经完成基于SSL协议的数据复制。

您可能感兴趣的文档:

点击免费下载>>软考高级考试备考技巧/历年真题/备考精华资料

--结束END--

本文标题: MySQL基于SSL协议的主从复制

本文链接: https://www.lsjlt.com/news/42352.html(转载时请注明来源链接)

有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

本篇文章演示代码以及资料文档资料下载

下载Word文档到电脑，方便收藏和打印～

下载Word文档

去做题

猜你喜欢

MySQL基于SSL安全连接的主从复制(过程详解)

目录主从复制的原理部署master1. 主机创建 SSL/RSA 文件2. 赋予权限并重启。3. 登录mysql查看ssl是否开启，并创建一个复制用户。4. master开启二进制日志，重启后查看二进制日志文件。5. 防...

99+

2023-04-06

mysql 基于ssl主从复制 mysql 主从复制
MySQL基于SSL安全连接的主从复制怎么实现

本文小编为大家详细介绍“MySQL基于SSL安全连接的主从复制怎么实现”，内容详细，步骤清晰，细节处理妥当，希望这篇“MySQL基于SSL安全连接的主从复制怎么实现”文章能帮助大家解决疑惑，下面跟着小编的思路慢慢深入，一起来学习新知识吧。生...

99+

2023-07-05
MySQL配置SSL主从复制

MySQL5.6 创建SSL文件方法官方文档：https://dev.mysql.com/doc/refman/5.6/en/creating-ssl-files-using-openssl.html#c...

99+

2024-04-02
MySQL 5.7 基于GTID搭建主从复制

MySQL 5.7 基于GTID搭建主从复制一、搭建过程 1.1 准备三个MySQL实例 mysqld --initialize-insecure --use...

99+

2024-04-02
mysql基于日志的主从复制是什么

这篇文章主要介绍了mysql基于日志的主从复制是什么，具有一定借鉴价值，需要的朋友可以参考下。希望大家阅读完这篇文章后大有收获。下面让小编带着大家一起了解一下。 ...

99+

2024-04-02
MySQL主从复制使用SSL加密

环境：　CentOS7.4 　CA主机一　mysql主机两台　数据库：MariaDB-5.5 一、准备证书文件 1.生成CA自签名证书 mkdir /etc/my.cnf.d/ssl cd /etc/my....

99+

2024-04-02
基于GTID的主从复制搭建

前置检查server-id = 10，master/slave不允许重复log-bingtid-mode = ONenforce-gtid-consistency = ON1，利用mysqlpump复制ma...

99+

2024-04-02
mysql之 MySQL 主从基于 GTID 复制原理概述

一、什么是GTID （ Global transaction identifiers ）： MySQL-5.6.2开始支持，MySQL-5.6.10后完善，GTID 分成两部分，一部分是服务的UUid...

99+

2024-04-02
mysql之 MySQL 主从基于position复制原理概述

1 、主从复制简介 MySQL 主从复制就是将一个 MySQL 实例（Master）中的数据实时复制到另一个 MySQL 实例(slave)中，而且这个复制是一个异步复制的过程。实现整个复制操作主要...

99+

2024-04-02
实现SSL加密的主从复制

实验环境centos7.6最小化安装关闭防火墙、selinux一、建立CA并生成证书1、生成CA的私钥mkdir /etc/my.cnf.d/sslcd /etc/my.cnf.d/sslopenssl g...

99+

2024-04-02
Mysql的主从复制

Mysql的主从复制 Mysql的主从复制，我们一般用来保证数据间的同步关系，比如有分公司，我们就需要把数据同步给千里之外的分公司，这样就很方便快捷。这个实验我们还实现了ssl安全连...

99+

2024-04-02
Python中的端口协议之基于UDP协议

UDP协议：　　1、python中基于udp协议的客户端与服务端通信简单过程实现　　2、udp协议的一些特点（与tcp协议的比较） 3、利用socketserver模块实现udp传输协议的并发通信 -----------...

99+

2023-01-31

协议端口 Python
ssl协议的主要作用有哪些

SSL协议的主要作用有以下几个方面：1. 加密数据传输：SSL协议使用公开密钥加密技术，对传输的数据进行加密，保障数据传输过程中的机...

99+

2023-06-13

ssl协议 ssl
如何理解基于keepalived的MySQL主主复制

这篇文章将为大家详细讲解有关如何理解基于keepalived的MySQL主主复制，文章内容质量较高，因此小编分享给大家做个参考，希望大家阅读完这篇文章后对相关知识有一定的了解。 ...

99+

2024-04-02
ssl协议的主要功能有哪些

SSL协议的主要功能包括：1. 数据加密：SSL协议使用对称密钥加密算法，对传输的数据进行加密，保护数据在传输过程中不被窃取或篡改。...

99+

2023-05-31

ssl协议 ssl
Java SSL/TLS 协议的演进之路：从 SSL 1.0 到 TLS 1.3

一、SSL 1.0：诞生之始 SSL 1.0 于 1994 年诞生，是 SSL/TLS 协议的第一个版本。它是由网景公司开发并广泛用于早期互联网通信。SSL 1.0 使用 RC4 加密算法，该算法简单易用，但后来被证明存在安全漏洞。二...

99+

2024-02-25

SSL, TLS, Java, 安全, 加密
Mysql之主从复制

文章目录一.Mysql主从复制介绍 1.Mysql主从复制原理2.Mysql的复制类型3.Mysql主从复制的工作过程二.搭建 Mysql主从复制1.首先关闭防火墙2.Mysql主从服...

99+

2023-09-04

mysql java 数据库
centos8 mysql 主从复制

♥️作者：小刘在C站 ♥️个人主页：小刘主页 ♥️每天分享云计算网络运维课堂笔记，努力不一定有收获，但一定会有收获加油！一起努力，共赴美好人生！ ♥️夕阳下，是最美的绽放，树高千尺，落叶归根人生不易，人间真情目录 Linu...

99+

2023-08-31

数据库 mysql 服务器
MySQL的主从复制、半同步复制和主主复制的概念

本篇内容主要讲解“MySQL的主从复制、半同步复制和主主复制的概念”，感兴趣的朋友不妨来看看。本文介绍的方法操作简单快捷，实用性强。下面就让小编来带大家学习“MySQL的主从复制、半同步复制和主主复制的概念...

99+

2024-04-02
docker下如何部署MySQL8基于GTID的主从复制

这篇文章给大家介绍docker下如何部署MySQL8基于GTID的主从复制，内容非常详细，感兴趣的小伙伴们可以参考借鉴，希望对大家能有所帮助。安装docker#yum install docker添加doc...

99+

2024-04-02