在Linux上配置MariaDB以使用SSL加密通信涉及几个步骤。以下是一个基本的指南,帮助你设置SSL加密通信:
首先,你需要生成SSL证书和密钥。你可以使用OpenSSL来生成这些文件。
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/mysql/ssl/ca-key.pem -out /etc/mysql/ssl/ca-cert.pem
sudo openssl req -newkey rsa:2048 -days 365 -nodes -keyout /etc/mysql/ssl/server-key.pem -out /etc/mysql/ssl/server-req.pem
sudo openssl x509 -req -in /etc/mysql/ssl/server-req.pem -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -CAcreateserial -out /etc/mysql/ssl/server-cert.pem
如果你需要客户端证书进行双向认证,可以生成客户端证书和密钥。
sudo openssl req -newkey rsa:2048 -days 365 -nodes -keyout /etc/mysql/ssl/client-key.pem -out /etc/mysql/ssl/client-req.pem
sudo openssl x509 -req -in /etc/mysql/ssl/client-req.pem -CA /etc/mysql/ssl/ca-cert.pem -CAkey /etc/mysql/ssl/ca-key.pem -CAcreateserial -out /etc/mysql/ssl/client-cert.pem
编辑MariaDB的配置文件(通常是/etc/my.cnf或/etc/mysql/my.cnf),添加或修改以下配置:
[mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
[mysqld_safe]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
保存配置文件并重启MariaDB服务以应用更改:
sudo systemctl restart mariadb
如果你需要客户端使用SSL连接,可以在客户端连接时指定SSL选项。例如,使用mysql命令行工具:
mysql --ssl-ca=/etc/mysql/ssl/ca-cert.pem --ssl-cert=/etc/mysql/ssl/client-cert.pem --ssl-key=/etc/mysql/ssl/client-key.pem -u your_username -p
你可以使用以下SQL查询来验证服务器是否正在使用SSL:
SHOW VARIABLES LIKE '%ssl%';
你应该看到类似以下的输出:
+---------------+----------+
| Variable_name | Value |
+---------------+----------+
| have_ssl | YES |
| ssl_ca | /etc/mysql/ssl/ca-cert.pem |
| ssl_cert | /etc/mysql/ssl/server-cert.pem |
| ssl_key | /etc/mysql/ssl/server-key.pem |
+---------------+----------+
通过这些步骤,你应该能够在Linux上成功配置MariaDB以使用SSL加密通信。
