实验:实现基于SSL加密的主从复制
实验步骤: 环境:三台主机,一台CA:200,一台master:150 ,一台slave:100
平时都是在CA上帮用户生成私钥,在服务器上做的
1 CA,master,slave 的证书相关文件
mkdir /etc/my.cnf.d/ssl
cd /etc/my.cnf.d/ssl
openssl genrsa 2048 > cakey.pem
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
给master 颁发证书
openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr
openssl x509 -req -in master.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
给slave 颁发证书
openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave.key > slave.csr
openssl x509 -req -in slave.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt
root@CA ssl]#ls /etc/my.cnf.d/ssl/
cacert.pem cakey.pem master.crt master.csr master.key slave.crt slave.csr slave.key
scp -r /etc/my.cnf.d/ssl master:/etc/my.cnf.d/
scp -r /etc/my.cnf.d/ssl slave:/etc/my.cnf.d/
2 master
vim /etc/my.cnf
[mysqld]
log-bin
server-id=17
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key
mysql> grant replication slave on . to ssluser@‘192.168.35.%‘ identified by ‘centos‘ require ssl ;
3 slave
vim /etc/my.cnf
[mysqld]
server-id=27
read-only
mysql> CHANGE MASTER TO
MASTER_HOST=‘master‘,
MASTER_USER=‘ssluser‘,
MASTER_PASSWORD=‘centos‘,
MASTER_PORT=3306,
MASTER_LOG_FILE=‘mariadb-bin.000003‘,
MASTER_LOG_POS=7821,
MASTER_SSL=1,
MASTER_SSL_CA = ‘/etc/my.cnf.d/ssl/cacert.pem‘,
MASTER_SSL_CERT = ‘/etc/my.cnf.d/ssl/slave.crt‘,
MASTER_SSL_KEY = ‘/etc/my.cnf.d/ssl/slave.key‘;
mysql>start slave;
1、150主机修改配置文件:加入“log_bin server_id=150” 100主机修改配置文件:加入“server_id=100 read_only”
150master:[root@centos7 ~]#vim /etc/my.cnf
[root@centos7 ~]#systemctl restart mariadb
[root@centos7 ~]#mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
MariaDB [(none)]> grant replication slave on . to repluser@‘192.168.141.%‘ identified by ‘123gxy‘; 创建用户
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 401 |
+--------------------+-----------+
1 row in set (0.00 sec)
100slave:MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST=‘192.168.141.150‘, MASTER_USER=‘repluser‘, MASTER_PASSWORD=‘123gxy‘, MASTER_PORT=3306, MASTER_LOG_FILE=‘mariadb-bin.000001‘, MASTER_LOG_POS=245;
Query OK, 0 rows affected (0.02 sec)
MariaDB [(none)]> start slave;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show slave status\G;
1. row
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.141.150
Master_User: repluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000001
Read_Master_Log_Pos: 401
Relay_Log_File: mariadb-relay-bin.000002
Relay_Log_Pos: 687
Relay_Master_Log_File: mariadb-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 401
Relay_Log_Space: 983
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
1 row in set (0.00 sec)
ERROR: No query specified
MariaDB [(none)]> select user,host from mysql.user;
+----------+---------------+
| user | host |
+----------+---------------+
| root | 127.0.0.1 |
| repluser | 192.168.141.% |
| root | ::1 |
| root | localhost |
+----------+---------------+
4 rows in set (0.00 sec) 可见此时已经连接master。
2、[root@CA ~]#mkdir /etc/my.cnf.d/ssl 专门存放证书
[root@CA ssl]#openssl genrsa 2048 > cakey.pem 生成CA的私钥
Generating RSA private key, 2048 bit long modulus
.....................................................................................................+++
.................................+++
e is 65537 (0x10001)
[root@CA ssl]#openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:huayixiongdi
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:
[root@CA ssl]#ll 这是CA给自己颁发的自签名的证书
total 8
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
[root@CA ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr 生成master的私钥文件
Generating a 2048 bit RSA private key
.........................+++
....................................................+++
writing new private key to ‘master.key‘
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:huayixiongdi
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:master.huayixiongdi.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CA ssl]#ll
total 16
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key
3、颁发CA证书:
[root@CA ssl]#openssl x509 -req -in master.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huayixiongdi/OU=devops/CN=master.huayixiongdi.com
Getting CA Private Key
[root@CA ssl]#ll
total 20
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1233 Feb 26 16:15 master.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key 有三个文件
[root@CA ssl]#openssl x509 -req -in slave.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > slave.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huayixiongdi/OU=devops/CN=slave.huayixiongdi.com
Getting CA Private Key
[root@CA ssl]#ll
total 32
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1233 Feb 26 16:15 master.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key
-rw-r--r--. 1 root root 1229 Feb 26 16:51 slave.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:18 slave.csr
-rw-r--r--. 1 root root 1704 Feb 26 16:18 slave.key
主服务器此时没开启加密:
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
master:[root@centos7 ssl]#vim /etc/my.cnf
[mysqld]
log_bin
server_id=150
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/my.cnf.d/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /etc/my.cnf.d/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /etc/my.cnf.d/ssl/master.key |
+---------------+------------------------------+
7 rows in set (0.00 sec)
我们用秘钥登陆:
[root@centos7 ssl]#mysql -ussluser -p123gxy -h 192.168.141.150 --ssl-ca=cacert.pem --ssl-cert=slave.crt --ssl-key=slave.key
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
MariaDB [(none)]> status
mysql Ver 15.1 Distrib 5.5.60-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 7
Current database:
Current user: ssluser@192.168.141.100
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server: MariaDB
Server version: 5.5.60-MariaDB MariaDB Server
Protocol version: 10
Connection: 192.168.141.150 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 8 min 25 sec
普通登录:
[root@centos7 ssl]#mysql -ussluser -p123gxy -h 192.168.141.150
ERROR 1045 (28000): Access denied for user ‘ssluser‘@‘192.168.141.100‘ (using password: YES)
[root@centos7 ssl]#mysql -urepluser -p123gxy -h 192.168.141.150
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
MariaDB [(none)]> status;
mysql Ver 15.1 Distrib 5.5.60-MariaDB, for Linux (x86_64) using readline 5.1
Connection id: 9
Current database:
Current user: repluser@192.168.141.100
SSL: Not in use
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server: MariaDB
Server version: 5.5.60-MariaDB MariaDB Server
Protocol version: 10
Connection: 192.168.141.150 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 11 min 7 sec
5、master:MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 420 |
| mariadb-bin.000002 | 264 |
| mariadb-bin.000003 | 264 |
| mariadb-bin.000004 | 7897 |
+--------------------+-----------+
4 rows in set (0.00 sec) 已经7897了
MariaDB [(none)]> stop slave;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> reset slave all;
Query OK, 0 rows affected (0.01 sec) 关闭清空slave的复制
重新建: 在slave:
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST=‘192.168.141.150‘,
-> MASTER_USER=‘ssluser‘,
-> MASTER_PASSWORD=‘123gxy‘,
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE=‘mariadb-bin.000004‘,
-> MASTER_LOG_POS=7897,
-> MASTER_SSL=1,
-> MASTER_SSL_CA = ‘/etc/my.cnf.d/ssl/cacert.pem‘,
-> MASTER_SSL_CERT = ‘/etc/my.cnf.d/ssl/slave.crt‘,
-> MASTER_SSL_KEY = ‘/etc/my.cnf.d/ssl/slave.key‘;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show slave status\G
1. row
Slave_IO_State:
Master_Host: 192.168.141.150
Master_User: ssluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000004
Read_Master_Log_Pos: 7897
Relay_Log_File: mariadb-relay-bin.000001
Relay_Log_Pos: 4
Relay_Master_Log_File: mariadb-bin.000004
Slave_IO_Running: No
Slave_SQL_Running: No
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7897
Relay_Log_Space: 245
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
1 row in set (0.00 sec)
这时,开启从服务器:
DB [(none)]> start slave;
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> show slave status\G
1. row
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.141.150
Master_User: ssluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000004
Read_Master_Log_Pos: 7897
Relay_Log_File: mariadb-relay-bin.000002
Relay_Log_Pos: 531
Relay_Master_Log_File: mariadb-bin.000004
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7897
Relay_Log_Space: 827
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
在master上创建用户:
MariaDB [(none)]> create database db1;
Query OK, 1 row affected (0.00 sec)
slave上马上回显示:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| db1 |
| hellodb |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.00 sec)
至此,本实验结束!
原文地址:https://blog.51cto.com/14128387/2355224