以下是使用OpenSSL配置Ubuntu数据库安全的步骤,以MySQL和PostgreSQL为例:
sudo apt update && sudo apt install openssl
openssl genrsa -out ca-key.pem 2048
openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem
openssl x509 -req -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-req.pem
openssl x509 -req -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
sudo mkdir -p /etc/mysql/ssl
sudo mv ca-cert.pem server-cert.pem server-key.pem /etc/mysql/ssl/
sudo chown -R mysql:mysql /etc/mysql/ssl
sudo chmod 600 /etc/mysql/ssl/*.pem
/etc/mysql/my.cnf,在 [mysqld] 部分添加:[mysqld]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
require_secure_transport=ON # 强制使用SSL连接
sudo systemctl restart mysql
mysql -u root -p --ssl-ca=/etc/mysql/ssl/ca-cert.pem -e "SHOW VARIABLES LIKE 'have_ssl';"
server.crt、server.key、ca.crt)放置到 /var/lib/postgresql/data/ 或指定路径。postgresql.conf:ssl = on
ssl_cert_file = '/path/to/server.crt'
ssl_key_file = '/path/to/server.key'
ssl_ca_file = '/path/to/ca.crt' # 可选,双向认证需配置
pg_hba.conf,添加SSL连接规则:# 允许SSL连接
hostssl all all 0.0.0.0/0 md5
# 或双向认证(需客户端提供证书)
# hostssl all all 0.0.0.0/0 cert clientcert=1
sudo systemctl restart postgresql
psql 命令行工具:psql "host=localhost port=5432 dbname=postgres user=postgres sslmode=require"
/etc/ssl/openssl.cnf,在 [system_default_sect] 中设置:MinProtocol = TLSv1.2
CipherString = HIGH:!aNULL:!MD5
ufw)限制数据库端口(MySQL:3306,PostgreSQL:5432)的访问范围:sudo ufw allow from <trusted_ip> to any port 3306
sudo ufw enable
