20190225 实验:实现基于SSL加密的主从复制

实验:实现基于SSL加密的主从复制
实验步骤: 环境:三台主机,一台CA:200,一台master:150 ,一台slave:100
平时都是在CA上帮用户生成私钥,在服务器上做的
1 CA,master,slave 的证书相关文件
mkdir /etc/my.cnf.d/ssl
cd /etc/my.cnf.d/ssl
openssl genrsa 2048 > cakey.pem
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
给master 颁发证书
openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr
openssl x509 -req -in master.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
给slave 颁发证书
openssl req -newkey rsa:2048 -days 365 -nodes -keyout slave.key > slave.csr
openssl x509 -req -in slave.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt

root@CA ssl]#ls /etc/my.cnf.d/ssl/
cacert.pem cakey.pem master.crt master.csr master.key slave.crt slave.csr slave.key

scp -r /etc/my.cnf.d/ssl master:/etc/my.cnf.d/

scp -r /etc/my.cnf.d/ssl slave:/etc/my.cnf.d/

2 master
vim /etc/my.cnf
[mysqld]
log-bin
server-id=17
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key

mysql> grant replication slave on . to ssluser@‘192.168.35.%‘ identified by ‘centos‘ require ssl ;

3 slave

vim /etc/my.cnf
[mysqld]
server-id=27
read-only

mysql> CHANGE MASTER TO
MASTER_HOST=‘master‘,
MASTER_USER=‘ssluser‘,
MASTER_PASSWORD=‘centos‘,
MASTER_PORT=3306,
MASTER_LOG_FILE=‘mariadb-bin.000003‘,
MASTER_LOG_POS=7821,
MASTER_SSL=1,
MASTER_SSL_CA = ‘/etc/my.cnf.d/ssl/cacert.pem‘,
MASTER_SSL_CERT = ‘/etc/my.cnf.d/ssl/slave.crt‘,
MASTER_SSL_KEY = ‘/etc/my.cnf.d/ssl/slave.key‘;
mysql>start slave;

1、150主机修改配置文件:加入“log_bin server_id=150” 100主机修改配置文件:加入“server_id=100 read_only”
150master:[root@centos7 ~]#vim /etc/my.cnf
[root@centos7 ~]#systemctl restart mariadb
[root@centos7 ~]#mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> grant replication slave on . to repluser@‘192.168.141.%‘ identified by ‘123gxy‘; 创建用户
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 401 |
+--------------------+-----------+
1 row in set (0.00 sec)
100slave:MariaDB [(none)]> CHANGE MASTER TO MASTER_HOST=‘192.168.141.150‘, MASTER_USER=‘repluser‘, MASTER_PASSWORD=‘123gxy‘, MASTER_PORT=3306, MASTER_LOG_FILE=‘mariadb-bin.000001‘, MASTER_LOG_POS=245;
Query OK, 0 rows affected (0.02 sec)

MariaDB [(none)]> start slave;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show slave status\G;
1. row
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.141.150
Master_User: repluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000001
Read_Master_Log_Pos: 401
Relay_Log_File: mariadb-relay-bin.000002
Relay_Log_Pos: 687
Relay_Master_Log_File: mariadb-bin.000001
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 401
Relay_Log_Space: 983
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: No
Master_SSL_CA_File:
Master_SSL_CA_Path:
Master_SSL_Cert:
Master_SSL_Cipher:
Master_SSL_Key:
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
1 row in set (0.00 sec)

ERROR: No query specified

MariaDB [(none)]> select user,host from mysql.user;
+----------+---------------+
| user | host |
+----------+---------------+
| root | 127.0.0.1 |
| repluser | 192.168.141.% |
| root | ::1 |
| root | localhost |
+----------+---------------+
4 rows in set (0.00 sec) 可见此时已经连接master。
2、[root@CA ~]#mkdir /etc/my.cnf.d/ssl 专门存放证书
[root@CA ssl]#openssl genrsa 2048 > cakey.pem 生成CA的私钥
Generating RSA private key, 2048 bit long modulus
.....................................................................................................+++
.................................+++
e is 65537 (0x10001)
[root@CA ssl]#openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:huayixiongdi
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com
Email Address []:
[root@CA ssl]#ll 这是CA给自己颁发的自签名的证书
total 8
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
[root@CA ssl]#openssl req -newkey rsa:2048 -days 365 -nodes -keyout master.key > master.csr 生成master的私钥文件
Generating a 2048 bit RSA private key
.........................+++
....................................................+++
writing new private key to ‘master.key‘

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:huayixiongdi
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server‘s hostname) []:master.huayixiongdi.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CA ssl]#ll
total 16
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key
3、颁发CA证书:
[root@CA ssl]#openssl x509 -req -in master.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huayixiongdi/OU=devops/CN=master.huayixiongdi.com
Getting CA Private Key
[root@CA ssl]#ll
total 20
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1233 Feb 26 16:15 master.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key 有三个文件
[root@CA ssl]#openssl x509 -req -in slave.csr -days 365 -CA cacert.pem -CAkey cakey.pem -set_serial 01 > slave.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huayixiongdi/OU=devops/CN=slave.huayixiongdi.com
Getting CA Private Key
[root@CA ssl]#ll
total 32
-rw-r--r--. 1 root root 1346 Feb 26 15:59 cacert.pem
-rw-r--r--. 1 root root 1679 Feb 26 15:56 cakey.pem
-rw-r--r--. 1 root root 1233 Feb 26 16:15 master.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:11 master.csr
-rw-r--r--. 1 root root 1708 Feb 26 16:11 master.key
-rw-r--r--. 1 root root 1229 Feb 26 16:51 slave.crt
-rw-r--r--. 1 root root 1029 Feb 26 16:18 slave.csr
-rw-r--r--. 1 root root 1704 Feb 26 16:18 slave.key
主服务器此时没开启加密:
MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_openssl | DISABLED |
| have_ssl | DISABLED |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+----------+
7 rows in set (0.00 sec)

MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | |
| ssl_capath | |
| ssl_cert | |
| ssl_cipher | |
| ssl_key | |
+---------------+-------+
master:[root@centos7 ssl]#vim /etc/my.cnf
[mysqld]
log_bin
server_id=150
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key

MariaDB [(none)]> show variables like‘%ssl%‘;
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/my.cnf.d/ssl/cacert.pem |
| ssl_capath | |
| ssl_cert | /etc/my.cnf.d/ssl/master.crt |
| ssl_cipher | |
| ssl_key | /etc/my.cnf.d/ssl/master.key |
+---------------+------------------------------+
7 rows in set (0.00 sec)
我们用秘钥登陆:
[root@centos7 ssl]#mysql -ussluser -p123gxy -h 192.168.141.150 --ssl-ca=cacert.pem --ssl-cert=slave.crt --ssl-key=slave.key
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 7
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> status

mysql Ver 15.1 Distrib 5.5.60-MariaDB, for Linux (x86_64) using readline 5.1

Connection id: 7
Current database:
Current user: ssluser@192.168.141.100
SSL: Cipher in use is DHE-RSA-AES256-GCM-SHA384
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server: MariaDB
Server version: 5.5.60-MariaDB MariaDB Server
Protocol version: 10
Connection: 192.168.141.150 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 8 min 25 sec
普通登录:
[root@centos7 ssl]#mysql -ussluser -p123gxy -h 192.168.141.150
ERROR 1045 (28000): Access denied for user ‘ssluser‘@‘192.168.141.100‘ (using password: YES)
[root@centos7 ssl]#mysql -urepluser -p123gxy -h 192.168.141.150
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 9
Server version: 5.5.60-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> status;

mysql Ver 15.1 Distrib 5.5.60-MariaDB, for Linux (x86_64) using readline 5.1

Connection id: 9
Current database:
Current user: repluser@192.168.141.100
SSL: Not in use
Current pager: stdout
Using outfile: ‘‘
Using delimiter: ;
Server: MariaDB
Server version: 5.5.60-MariaDB MariaDB Server
Protocol version: 10
Connection: 192.168.141.150 via TCP/IP
Server characterset: latin1
Db characterset: latin1
Client characterset: utf8
Conn. characterset: utf8
TCP port: 3306
Uptime: 11 min 7 sec
5、master:MariaDB [(none)]> show master logs;
+--------------------+-----------+
| Log_name | File_size |
+--------------------+-----------+
| mariadb-bin.000001 | 420 |
| mariadb-bin.000002 | 264 |
| mariadb-bin.000003 | 264 |
| mariadb-bin.000004 | 7897 |
+--------------------+-----------+
4 rows in set (0.00 sec) 已经7897了
MariaDB [(none)]> stop slave;
Query OK, 0 rows affected (0.01 sec)

MariaDB [(none)]> reset slave all;
Query OK, 0 rows affected (0.01 sec) 关闭清空slave的复制
重新建: 在slave:
MariaDB [(none)]> CHANGE MASTER TO
-> MASTER_HOST=‘192.168.141.150‘,
-> MASTER_USER=‘ssluser‘,
-> MASTER_PASSWORD=‘123gxy‘,
-> MASTER_PORT=3306,
-> MASTER_LOG_FILE=‘mariadb-bin.000004‘,
-> MASTER_LOG_POS=7897,
-> MASTER_SSL=1,
-> MASTER_SSL_CA = ‘/etc/my.cnf.d/ssl/cacert.pem‘,
-> MASTER_SSL_CERT = ‘/etc/my.cnf.d/ssl/slave.crt‘,
-> MASTER_SSL_KEY = ‘/etc/my.cnf.d/ssl/slave.key‘;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> show slave status\G
1. row
Slave_IO_State:
Master_Host: 192.168.141.150
Master_User: ssluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000004
Read_Master_Log_Pos: 7897
Relay_Log_File: mariadb-relay-bin.000001
Relay_Log_Pos: 4
Relay_Master_Log_File: mariadb-bin.000004
Slave_IO_Running: No
Slave_SQL_Running: No
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7897
Relay_Log_Space: 245
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
Seconds_Behind_Master: NULL
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
1 row in set (0.00 sec)
这时,开启从服务器:
DB [(none)]> start slave;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> show slave status\G
1. row
Slave_IO_State: Waiting for master to send event
Master_Host: 192.168.141.150
Master_User: ssluser
Master_Port: 3306
Connect_Retry: 60
Master_Log_File: mariadb-bin.000004
Read_Master_Log_Pos: 7897
Relay_Log_File: mariadb-relay-bin.000002
Relay_Log_Pos: 531
Relay_Master_Log_File: mariadb-bin.000004
Slave_IO_Running: Yes
Slave_SQL_Running: Yes
Replicate_Do_DB:
Replicate_Ignore_DB:
Replicate_Do_Table:
Replicate_Ignore_Table:
Replicate_Wild_Do_Table:
Replicate_Wild_Ignore_Table:
Last_Errno: 0
Last_Error:
Skip_Counter: 0
Exec_Master_Log_Pos: 7897
Relay_Log_Space: 827
Until_Condition: None
Until_Log_File:
Until_Log_Pos: 0
Master_SSL_Allowed: Yes
Master_SSL_CA_File: /etc/my.cnf.d/ssl/cacert.pem
Master_SSL_CA_Path:
Master_SSL_Cert: /etc/my.cnf.d/ssl/slave.crt
Master_SSL_Cipher:
Master_SSL_Key: /etc/my.cnf.d/ssl/slave.key
Seconds_Behind_Master: 0
Master_SSL_Verify_Server_Cert: No
Last_IO_Errno: 0
Last_IO_Error:
Last_SQL_Errno: 0
Last_SQL_Error:
Replicate_Ignore_Server_Ids:
Master_Server_Id: 150
在master上创建用户:
MariaDB [(none)]> create database db1;
Query OK, 1 row affected (0.00 sec)
slave上马上回显示:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| db1 |
| hellodb |
| mysql |
| performance_schema |
+--------------------+
5 rows in set (0.00 sec)
至此,本实验结束!

原文地址:https://blog.51cto.com/14128387/2355224

时间: 2024-09-28 07:36:14

20190225 实验:实现基于SSL加密的主从复制的相关文章

mysql5.7:mysql安装和基于SSL加密的主从复制(详细剖析)

小生博客:http://xsboke.blog.51cto.com 小生 Q Q:1770058260 -------谢谢您的参考,如有疑问,欢迎交流 目录: --------mysql-5.7.13简介及安装 --------配置mysql-5.7.13的ssl加密传输 --------基于SSL加密传输实现mysql-5.7.13的主从复制 一. Mysql5.7.13简介 1. Mysql5.7的主要优化 mysql5.7原生支持centos7.*版本的systemd 更好的性能:对于多核

基于SSL的Mysql主从复制

一.实验目的: 1.跨越互联网加密复制 mysql基于SSL加密连接,为安全从服配置证书,从服拿账号到主服复制时,必须得到主服验证.双方建立SSL会话. 二.实验架构 在分布式架构中,时间必须同步 主节点: station20:192.168.1.20 从节点: station21:192.168.1.21 三.实验步骤 1.建立ssh互信 [[email protected] ~]# echo -e"192.168.1.21\tstation21\tstation21.example.com&

Centos6.5基于SSL加密的VSFTPD 服务器搭建和配置

基于SSL加密的VSFTPD 服务器搭建和配置 一.yum install -y vsftpd ftp 主配置文件设置: vim /etc/vsftpd.conf anonymous_enable=NOguest_enable=YESguest_username=virtual user_config_dir=/etc/vsftpd/vconflocal_enable=YESwrite_enable=YESlocal_umask=022dirmessage_enable=YESxferlog_e

MySQL(十五)之基于ssl加密搭建含有gtid特性的MySQL主从复制

一.什么是GTID 自MySQL 5.6引入的GTID(Global Transaction ID)使得其复制功能的配置.监控及管理变得更加易于实现,且更加健壮.官方文档在这篇文档里,我们可以知道全局事务 ID 的官方定义是:GTID = source_id:transaction_id gtid是一个 unique 唯一的表示符,他是由服务器的uuid 全局唯一标识,是由128位的随机符组成,mysql-5.6是依靠server-id和uuid 来标识复制架构中的每一个主机,因为是128位的随

MySQL基于SSL协议的主从复制

数据对于大部分公司来说都是最重要的部分,而MySQL的服务器在同步数据时,默认是使用明文进行传输,所以接下来就来说说MySQL基于SSL协议进行密文传输数据的主从复制模式. 逻辑拓扑: 接下来的实验中Master节点服务器即使Master节点数据库服务器,同时也是CA. 环境准备: 一.主从服务器时间需要同步: [[email protected] ~]# chronyc sources 210 Number of sources = 1 MS Name/IP address         S

基于SSL加密的MySQL主从复制

主主mysql搭建我就不多叙述了 由于公司需求要基于公网的mysql主主复制,对数据隐私保护的要求极为严格,通过局域网或广域网复制数据都需要加密,一般都是基于公网才做,需用到ssl隧道.废话不多说 环境:Centos6.5 master1:192.168.1.10 master2: 192.168.1.30 查看是否开启ssl show variables like '%ssl%'; 开启ssl vim /etc/my.cnf [mysqld] ssl 配置CA服务器 vim /etc/pki/

基于ssl加密传输的vsftpd

主要适用于生产线上公网对外服务的ftp服务器 1.ftp有两种安全传输方式: ftps=ftp+ssl/tls Sftp=openssh,subsystem,sftp  基于ssh 2.基本ftps流程: 创建一个私有CA,由CA创建证书给vsftpd,再修改vsftpd配置文件. 3.相关操作流程: [[email protected] vsftpd]# cd /etc/pki/CA/ [[email protected] CA]# ls certs  crl  newcerts  priva

MySQL/MariaDB数据库基于SSL实现主从复制

前言 备份数据库是生产环境中的首要任务,有时候不得不通过网络进行数据库的复制,由于MySQL/MariaDB的主从复制是明文传送的,如果在生产环境中跨网络传送,数据的安全性就无法完全保证,为了解决这一问题,我们需要一种安全的方式进行传送,即基于SSL加密进行数据传输. 部署配置 实验拓扑 实验环境 系统环境:CentOS6.6 数据库版本:mariadb-5.5.36 #注意:主从服务器数据库版本须一致:主从服务器时间须同步 #此实验从服务器只做一组为例 配置主从复制 安装mariadb [[e

MariaDB数据库主从复制、双主复制、半同步复制、基于SSL的安全复制实现及其功能特性介绍

一.复制概述 MariaDB/MySQL内建的复制功能是构建大型,高性能应用程序的基础.将MySQL的数据分布到多个系统上去,这种分布的机制,是通过将MySQL的某一台主机的数据复制到其它主机(slaves)上,并重新执行一遍来实现的.复制过程中一个服务器充当主服务器,而一个或多个其它服务器充当从服务器.主服务器将更新写入二进制日志文件,并维护文件的一个索引以跟踪日志循环.这些日志可以记录发送到从服务器的更新.当一个从服务器连接主服务器时,它通知主服务器从服务器在日志中读取的最后一次成功更新的位