zoukankan      html  css  js  c++  java
  • mysql/mariadb基于ssl的主从复制

    当mysql/mariadb跨越互联网进行复制时别人可以窃取到mysql/mariadb的复制信息, 这些信息是明文的, 因此存在不安全性, 这里通过ssl对复制的信息进行加密

    1. 创建证书中心

    在主服务器上创建证书中心

    cd /etc/pki/CA
    生成私钥
    (umask 077;openssl genrsa -out private/cakey.pem 2048)
    
    生成自签名证书
    openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
    
    创建证书编号
    mkdir certs crl newcerts
    touch index.txt
    echo 00 > serial

    2.  为主服务器创建证书

    服务器的名称必须固定, 在申请证书时要输入服务器名称, 这书和服务器名称对应;

    创建私钥
    mkdir /usr/lcoal/mysql/ssl
    cd /usr/local/mysql/ssl
    (umask 077;openssl genrsa -out /etc/mysql/ssl/master.key 2048)
    生成证书申请
    openssl req -new -key master.key -out master.csr
    在证书服务器上对master的证书进行签发
    openssl ca -in master.csr -out master.crt -days 365

    3. 创建从服务器证书

    (umask 077;openssl genrsa -out /etc/mysql/ssl/slave.key 2048)
    openssl req -new -key slave.key -out slave.csr
    将从服务器的证书申请文件复制到证书服务器上进行签发
    openssl ca -in slave.csr -out slave.crt -days 365

    4. 修改证书权限和mysql配置文件

    将证书的公钥cacert.pem复制到主从服务器的目录下
    cd /etc/mysql/ssl
    cp /etc/pki/CA/cacert.pem ./
    chown -R mysql.mysql master.crt master.key cacert.pem
    chmod 600 master.crt master.key cacert.pem
    
    vim /etc/my.cnf
    
    log-bin=master-log
    server-id=1
    skip_name_resolve = ON
    innodb_file_per_table = ON
    ssl
    ssl_ca      = /etc/mysql/ssl/cacert.pem
    ssl_cert    = /etc/mysql/ssl/master.crt
    ssl_key     = /etc/mysql/ssl/master.key
    
    修改从服务器配置 
    cd /etc/mysql/ssl
    cp /etc/pki/CA/cacert.pem ./
    chown -R mysql.mysql slave.crt slave.key cacert.pem
    chmod 600 slave.crt slave.key cacert.pem
    
    vim /etc/my.cnf
    
    relay-log=relay-log
    server-id=2
    skip_name_resolve = ON
    innodb_file_per_table = ON
    ssl
    ssl_ca      = /etc/mysql/ssl/cacert.pem
    ssl_cert    = /etc/mysql/ssl/slave.crt
    ssl_key     = /etc/mysql/ssl/slave.key

    5. 在主服务上创建复制用户

    MariaDB [(none)]> GTANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO 'repluser'@'10.1.52.%' IDENTIFIED BY 'replpass' REQUIRE SSL;
    MariaDB [(none)]> FLUSH PRIVILEGES;
    查看主服务器当前二进制位置
    MariaDB [(none)]> SHOW MASTER STATUS;
    +-------------------+----------+--------------+------------------+
    | File              | Position | Binlog_Do_DB | Binlog_Ignore_DB |
    +-------------------+----------+--------------+------------------+
    | master-log.000005 |     7918 |              |                  |
    +-------------------+----------+--------------+------------------+
    1 row in set (0.00 sec)

    6. 在从服务器上开始复制    

    MariaDB [(none)]> CHANGE MASTER TO
        -> MASTER_HOST='10.1.52.11',
        -> MASTER_USER='repluser',
        -> MASTER_PASSWORD='replpass',
        -> MASTER_LOG_FILE='master-log.000001',
        -> MASTER_LOG_POS=495,
        -> MASTER_SSL=1,
        -> MASTER_SSL_CA='/etc/mysql/ssl/cacert.pem',
        -> MASTER_SSL_CERT='/etc/mysql/ssl/slave.crt',
        -> MASTER_SSL_KEY='/etc/mysql/ssl/slave.key';
    MariaDB [(none)]> START SLAVE;

    7. 查看从服务器的状态

    MariaDB [(none)]> SHOW SLAVE STATUSG
    *************************** 1. row ***************************
                   Slave_IO_State: Waiting for master to send event
                      Master_Host: 10.1.52.11
                      Master_User: repluser
                      Master_Port: 3306
                    Connect_Retry: 60
                  Master_Log_File: master-log.000005
              Read_Master_Log_Pos: 7918
                   Relay_Log_File: relay-log.000002
                    Relay_Log_Pos: 7940
            Relay_Master_Log_File: master-log.000005
                 Slave_IO_Running: Yes
                Slave_SQL_Running: Yes
                  Replicate_Do_DB:
              Replicate_Ignore_DB:
               Replicate_Do_Table:
           Replicate_Ignore_Table:
          Replicate_Wild_Do_Table:
      Replicate_Wild_Ignore_Table:
                       Last_Errno: 0
                       Last_Error:
                     Skip_Counter: 0
              Exec_Master_Log_Pos: 7918
                  Relay_Log_Space: 8228
                  Until_Condition: None
                   Until_Log_File:
                    Until_Log_Pos: 0
               Master_SSL_Allowed: Yes
               Master_SSL_CA_File: /etc/mysql/ssl/cacert.pem
               Master_SSL_CA_Path:
                  Master_SSL_Cert: /etc/mysql/ssl/slave.crt
                Master_SSL_Cipher:
                   Master_SSL_Key: /etc/mysql/ssl/slave.key
            Seconds_Behind_Master: 0
    Master_SSL_Verify_Server_Cert: No
                    Last_IO_Errno: 0
                    Last_IO_Error:
                   Last_SQL_Errno: 0
                   Last_SQL_Error:
      Replicate_Ignore_Server_Ids:
                 Master_Server_Id: 1
    1 row in set (0.00 sec)
  • 相关阅读:
    HTTP处理程序介绍
    c# Enum获取name,value和description
    如何成为优秀的软件人才
    关于系统设计分层
    从DLL中加载启动窗体
    摩斯密码
    休息下
    关于博文转载
    整合TextBox与Label 创建新控件EFLabelText
    ProC连接Oracle
  • 原文地址:https://www.cnblogs.com/wajika/p/6347017.html
Copyright © 2011-2022 走看看