当mysql/mariadb跨越互联网进行复制时别人可以窃取到mysql/mariadb的复制信息, 这些信息是明文的, 因此存在不安全性, 这里通过ssl对复制的信息进行加密
1. 创建证书中心
在主服务器上创建证书中心
cd /etc/pki/CA
生成私钥
(umask 077;openssl genrsa -out private/cakey.pem 2048)
生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
创建证书编号
mkdir certs crl newcerts
touch index.txt
echo 00 > serial
2. 为主服务器创建证书
服务器的名称必须固定, 在申请证书时要输入服务器名称, 这书和服务器名称对应;
创建私钥
mkdir /usr/lcoal/mysql/ssl
cd /usr/local/mysql/ssl
(umask 077;openssl genrsa -out /etc/mysql/ssl/master.key 2048)
生成证书申请
openssl req -new -key master.key -out master.csr
在证书服务器上对master的证书进行签发
openssl ca -in master.csr -out master.crt -days 365
3. 创建从服务器证书
(umask 077;openssl genrsa -out /etc/mysql/ssl/slave.key 2048)
openssl req -new -key slave.key -out slave.csr
将从服务器的证书申请文件复制到证书服务器上进行签发
openssl ca -in slave.csr -out slave.crt -days 365
4. 修改证书权限和mysql配置文件
将证书的公钥cacert.pem复制到主从服务器的目录下
cd /etc/mysql/ssl
cp /etc/pki/CA/cacert.pem ./
chown -R mysql.mysql master.crt master.key cacert.pem
chmod 600 master.crt master.key cacert.pem
vim /etc/my.cnf
log-bin=master-log
server-id=1
skip_name_resolve = ON
innodb_file_per_table = ON
ssl
ssl_ca = /etc/mysql/ssl/cacert.pem
ssl_cert = /etc/mysql/ssl/master.crt
ssl_key = /etc/mysql/ssl/master.key
修改从服务器配置
cd /etc/mysql/ssl
cp /etc/pki/CA/cacert.pem ./
chown -R mysql.mysql slave.crt slave.key cacert.pem
chmod 600 slave.crt slave.key cacert.pem
vim /etc/my.cnf
relay-log=relay-log
server-id=2
skip_name_resolve = ON
innodb_file_per_table = ON
ssl
ssl_ca = /etc/mysql/ssl/cacert.pem
ssl_cert = /etc/mysql/ssl/slave.crt
ssl_key = /etc/mysql/ssl/slave.key
5. 在主服务上创建复制用户
MariaDB [(none)]> GTANT REPLICATION SLAVE,REPLICATION CLIENT ON *.* TO 'repluser'@'10.1.52.%' IDENTIFIED BY 'replpass' REQUIRE SSL;
MariaDB [(none)]> FLUSH PRIVILEGES;
查看主服务器当前二进制位置
MariaDB [(none)]> SHOW MASTER STATUS;
+-------------------+----------+--------------+------------------+
| File | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+-------------------+----------+--------------+------------------+
| master-log.000005 | 7918 | | |
+-------------------+----------+--------------+------------------+
1 row in set (0.00 sec)
6. 在从服务器上开始复制
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST='10.1.52.11',
-> MASTER_USER='repluser',
-> MASTER_PASSWORD='replpass',
-> MASTER_LOG_FILE='master-log.000001',
-> MASTER_LOG_POS=495,
-> MASTER_SSL=1,
-> MASTER_SSL_CA='/etc/mysql/ssl/cacert.pem',
-> MASTER_SSL_CERT='/etc/mysql/ssl/slave.crt',
-> MASTER_SSL_KEY='/etc/mysql/ssl/slave.key';
MariaDB [(none)]> START SLAVE;
7. 查看从服务器的状态
MariaDB [(none)]> SHOW SLAVE STATUSG
*************************** 1. row ***************************
Slave_IO_State: Waiting for master to send event
Master_Host: 10.1.52.11
Master_User: repluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: master-log.000005
Read_Master_Log_Pos: 7918
Relay_Log_File: relay-log.000002
Relay_Log_Pos: 7940
Relay_Master_Log_File: master-log.000005
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7918
Relay_Log_Space: 8228
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/mysql/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/mysql/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/mysql/ssl/slave.key
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 1
1 row in set (0.00 sec)