在本教程中,我將介紹如何使用 SSH 連接進行加密,建立與 MySQL 伺服器的安全連接,從而使資料庫中的資料安全,駭客無法竊取資料。 SSL用來驗證SSL憑證的方式,可以防範網路釣魚攻擊。這也將向您展示如何在 MySQL 伺服器上啟用 SSL。
連接到MySQL 伺服器並檢查MySQL 伺服器的SSL 狀態
# mysql -u root -p mysql> show variables like '%ssl%'; Output: +---------------+----------+ | Variable_name | Value | +---------------+----------+ | have_openssl | DISABLED | | have_ssl | DISABLED | | ssl_ca | | | ssl_capath | | | ssl_cert | | | ssl_cipher | | | ssl_key | | +---------------+----------+ 7 rows in set (0.00 sec) mysql> \q Bye
#建立用於儲存憑證文件的目錄
# mkdir /etc/certificates # cd /etc/certificates
# openssl genrsa 2048 > ca-key.pem Generating RSA private key, 2048 bit long modulus ...................................................................................+++ ..........+++ e is 65537 (0x10001) # openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem Generating a 2048 bit RSA private key ..................+++ ..............................................................................................+++ writing new private key to 'server-key.pem' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Error opening CA Certificate ca-cert.pem 139991633303368:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('ca-cert.pem','r') 139991633303368:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate Generating client certificates
# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem Generating a 2048 bit RSA private key ...............................................+++ .................+++ writing new private key to 'client-key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: Please enter the following 'extra' attributes openssl x509 -req -in client-req.pem -days 1000 -CA ca-# cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Error opening CA Certificate ca-cert.pem 140327140685640:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('ca-cert.pem','r') 140327140685640:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate to be sent with your certificate request A challenge password []: An optional company name []:
現在開啟my.cnf 檔案並新增憑證
# vi /etc/my.cnf [mysqld] ssl-ca=/etc/certificates/cacert.pem ssl-cert=/etc/certificates/server-cert.pem ssl-key=/etc/certificates/server-key.pem
#service mysqld restart #mysql -uroot -p mysql>show variables like '%ssl%'; +---------------+-----------------------------------+ | Variable_name | Value | +---------------+-----------------------------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca |/etc/certificates/cacert.pem | | ssl_capath | | | ssl_cert | /etc/certificates/server-cert.pem | | ssl_cipher | | | ssl_key | /etc/certificates/server-key.pem | +---------------+-----------------------------------+ 7 rows in set (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO ‘ssl_user’@’%’ IDENTIFIED BY ‘password’ REQUIRE SSL; mysql> FLUSH PRIVILEGES;
從伺服器端,我們需要將client-cert.pem client-key.pem client-req.pem 從伺服器複製到客戶端。
# scp /etc/ certificates/client-cert.pem root@192.168.87.158:/etc/certificates # scp /etc/ certificates/client-key.pem root@192.168.87.158:/etc/certificates # scp /etc/ certificates/client-req.pem root@192.168.87.158:/etc/certificates
檔案傳輸到客戶端後,將連接到客戶端並嘗試使用 SSL 憑證連接到 MySQL。
# mysql --ssl-ca=ca-cert.pem --ssl-cert=client-cert.pem --ssl-key=client-key.pem -h 192.168.87.156 -u ssluser -p Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 3 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> status -------------- mysql Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1 Connection id: 3 Current database: Current user: root@localhost SSL: Clipher in use is DHE-RSA-AES256-SHA Current pager: stdout Using outfile: '' Using delimiter: ; Server version: 5.1.73 Source distribution Protocol version: 10 Connection: 192.168.87.158 via TCP/IP Server characterset: latin1 Db characterset: latin1 Client characterset: latin1 Conn. characterset: latin1 UNIX socket: /var/lib/mysql/mysql.sock Uptime: 11 min 13 sec Threads: 1 Questions: 8 Slow queries: 0 Opens: 15 Flush tables: 1 Open tables: 8 Queries per second avg: 0.11 -------------
稍後,在 /etc/my.cnf 檔案中新增設置,以便永久連接到 MySQL 伺服器時,我們應該使用 SSL 進行連線。
# vi /etc/my.cnf [client] ssl-ca=/etc/certificates/ client-cert.pem ssl-cert=/etc/certificates/client-cert.pem ssl-key=/etc/certificates/client-key.pem
完成此設定和設定後,您現在可以使用 SSL 金鑰從客戶端連接到 MySQL 伺服器,以保護資料不被竊取,同時也可以保護資料免受駭客攻擊。
以上是如何在 Linux 上為 MySQL 伺服器和客戶端設定 SSL的詳細內容。更多資訊請關注PHP中文網其他相關文章!
