[2] MariaDB – SSL/TLS

26 stycznia 2022 Wyłączono przez Adam [zicherka] Nogły

Skonfigurujemy teraz ustawienia SSL/TLS dla MariaDB

[1] Pobierz certyfikaty z Let’s Encrypt luz wygeneruj swoje własne. My użyjemy własnych.

[2] Skonfiguruj MariaDB dla używania SSL/TLS.

#skopiuj certyfikaty
[root@vlsr01 ~]# mkdir /var/lib/mysql/pki
[root@vlsr01 ~]# cp /etc/pki/tls/certs/{server.crt,server.key,ca-bundle.crt} /var/lib/mysql/pki/
[root@vlsr01 ~]# chown -R mysql. /var/lib/mysql/pki
[root@vlsr01 ~]# mcedit /etc/my.cnf.d/mariadb-server.cnf
#dodaj w sekcji [mysqld]
[mysqld]
ssl-ca=/var/lib/mysql/pki/ca-bundle.crt
ssl-cert=/var/lib/mysql/pki/server.crt
ssl-key=/var/lib/mysql/pki/server.key

[root@vlsr01 ~]# systemctl restart mariadb

#sprawdź ustawienia
[root@vlsr01 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.5.9-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show variables like '%ssl%';
+---------------------+----------------------------------+
| Variable_name       | Value                            |
+---------------------+----------------------------------+
| have_openssl        | YES                              |
| have_ssl            | YES                              |
| ssl_ca              | /var/lib/mysql/pki/ca-bundle.crt |
| ssl_capath          |                                  |
| ssl_cert            | /var/lib/mysql/pki/server.crt    |
| ssl_cipher          |                                  |
| ssl_crl             |                                  |
| ssl_crlpath         |                                  |
| ssl_key             | /var/lib/mysql/pki/server.key    |
| version_ssl_library | OpenSSL 1.1.1k  FIPS 25 Mar 2021 |
+---------------------+----------------------------------+
rows in set (0.001 sec)

[3] Aby połączyć się za pomocą SSL, musisz wpisać opcję [ssl].

[root@vlsr01 ~]# mysql --ssl
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 10.5.9-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
#pokaż status
MariaDB [(none)]> show status like 'ssl_cipher';
+---------------+------------------------+
| Variable_name | Value                  |
+---------------+------------------------+
| Ssl_cipher    | TLS_AES_256_GCM_SHA384 |
+---------------+------------------------+
1 row in set (0.001 sec)
MariaDB [(none)]> exit
Bye

#dla połączenia bez SSL
[root@vlsr01 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5
Server version: 10.5.9-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show status like 'ssl_cipher';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| Ssl_cipher    |       |
+---------------+-------+
1 row in set (0.000 sec)
MariaDB [(none)]> exit
Bye

[4] Aby wymusić połączenia SSL na użytkownikach wykonaj:

[root@vlsr01 ~]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 6
Server version: 10.5.9-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

#stwórz użytkownika dla którego wymagane jest SSL/TLS
MariaDB [(none)]> create user ssluser identified by 'TajneHasło' require ssl;
Query OK, 0 rows affected (0.011 sec)

#pokaż status SSL/TLS wymagany dla użytkowników
MariaDB [(none)]> select user,host,ssl_type from mysql.user;
+-------------+-----------+----------+
| User        | Host      | ssl_type |
+-------------+-----------+----------+
| mariadb.sys | localhost |          |
| root        | localhost |          |
| mysql       | localhost |          |
| wordpress   | localhost |          |
| ssluser     | %         | ANY      |
+-------------+-----------+----------+
rows in set (0.040 sec)

#ustaw SSL/TLS dla już istniejących użytkowników
MariaDB [(none)]> grant usage on *.* to 'nossluser'@'%' require ssl;
Query OK, 0 rows affected (0.001 sec)
MariaDB [(none)]> select user,host,ssl_type from mysql.user;
+-------------+-----------+----------+
| User        | Host      | ssl_type |
+-------------+-----------+----------+
| mariadb.sys | localhost |          |
| root        | localhost |          |
| mysql       | localhost |          |
| wordpress   | localhost |          |
| ssluser     | %         | ANY      |
| redhat      | %         | ANY      |
| nossluser   | %         | ANY      |
+-------------+-----------+----------+
rows in set (0.001 sec)