Table of Contents
1 MySQL加密配置
概述
本文将以CentOS 8.2和MySQL 8.0.21为例,介绍如何配置数据库加密连接。
如果MySQL主机设置为localhost,加密选项将是不可用,这种情况下,Zabbix前端和数据库之间使用socket文件连接(在Unix上)或共享内存(在Windows上),所以不能加密。
加密组合列表不限于本页列出的。还有更多组合可供选择。
先决条件
安装MySQL请参照 official repository.
有关如何使用 MySQL 存储库的详细信息 请参照MySQL documentation
MySQL服务器已准备好使用自签名证书接受安全连接.
若想查看哪些用户正在使用加密连接,请运行以下查询 (Performance Schema 选项应打开):
mysql> SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host
FROM performance_schema.status_by_thread AS sbt
JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher'
ORDER BY tls_version;所需模式
MySQL 配置
当前版本数据库的加密模式已经可以开箱即用 encryption mode. 将在初始设置及启动后创建服务器端证书.
为主要组件创建用户和角色:
mysql> CREATE USER
'zbx_srv'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>',
'zbx_web'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>'
REQUIRE SSL
PASSWORD HISTORY 5;
mysql> CREATE ROLE 'zbx_srv_role', 'zbx_web_role';
mysql> GRANT SELECT, UPDATE, DELETE, INSERT, CREATE, DROP, ALTER, INDEX, REFERENCES ON zabbix.* TO 'zbx_srv_role';
mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zbx_web_role';
mysql> GRANT 'zbx_srv_role' TO 'zbx_srv'@'%';
mysql> GRANT 'zbx_web_role' TO 'zbx_web'@'%';
mysql> SET DEFAULT ROLE 'zbx_srv_role' TO 'zbx_srv'@'%';
mysql> SET DEFAULT ROLE 'zbx_web_role' TO 'zbx_web'@'%';注意, X.509 协议不检查标识, 但会将用户设置为仅使用加密连接。配置用户的更多详细信息请参阅MySQL文档 MySQL documentation。
运行如下命令以检查连接(socket连接不能用于安全连接测试):
检查当前状态和可用的密码套件:
mysql> status
--------------
mysql Ver 8.0.21 for Linux on x86_64 (MySQL Community Server - GPL)
Connection id: 62
Current database:
Current user: [email protected]
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher_list'\G;
*************************** 1. row ***************************
Variable_name: Ssl_cipher_list
Value: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA
1 row in set (0.00 sec)
ERROR:
No query specified前端
要为 Zabbix 前端和数据库之间的连接建立传输加密,请执行以下操作:
- 勾选 Database TLS encryption
- 取消勾选 Verify database certificate
服务端
要为服务端和数据库之间启用连接传输加密,请修改该文件 /etc/zabbix/zabbix_server.conf:
...
DBHost=10.211.55.9
DBName=zabbix
DBUser=zbx_srv
DBPassword=<strong_password>
DBTLSConnect=required
...Encryption with certificate authority verification
Copy required MySQL CA to the Zabbix frontend server, assign proper permissions to allow the webserver to read this file.
This mode doesn't work on SLES 12 and RHEL 7 due to older MySQL libraries.
使用证书验证为 Zabbix 前端和数据库之间的连接启用加密:
- 勾选Database TLS encryption 和 Verify database certificate
- 指定数据库 TLS CA 文件的路径
或者,可以在 /etc/zabbix/web/zabbix.conf.php 配置:
...
$DB['ENCRYPTION'] = true;
$DB['KEY_FILE'] = '';
$DB['CERT_FILE'] = '';
$DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
$DB['VERIFY_HOST'] = false;
$DB['CIPHER_LIST'] = '';
...使用命令行工具对用户进行故障排除,以检查所需用户是否可以连接:
服务端
要为Zabbix服务器和数据库之间的连接启用加密和证书验证,请配置 /etc/zabbix/zabbix_server.conf:
...
DBHost=10.211.55.9
DBName=zabbix
DBUser=zbx_srv
DBPassword=<strong_password>
DBTLSConnect=verify_ca
DBTLSCAFile=/etc/ssl/mysql/ca.pem
...验证完整模式
MySQL 配置
MySQL CE 请参考如下配置 (/etc/my.cnf.d/server-tls.cnf) :
[mysqld]
...
# in this examples keys are located in the MySQL CE datadir directory
ssl_ca=ca.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem
require_secure_transport=ON
tls_version=TLSv1.3
...MySQL CE服务器和客户端(Zabbix前端)的密钥应根据MySQl CE文档手动创建:Creating SSL and RSA certificates and keys using MySQL or Creating SSL certificates and keys using openssl
MySQL服务器证书应设置为包含FQDN的名称,因为Zabbix前端将使用域名与数据库或数据库主机的IP地址进行通信。
创建MySQL用户:
mysql> CREATE USER
'zbx_srv'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>',
'zbx_web'@'%' IDENTIFIED WITH mysql_native_password BY '<strong_password>'
REQUIRE X509
PASSWORD HISTORY 5;检查是否可使用该用户登录:
$ mysql -u zbx_web -p -h 10.211.55.9 --ssl-mode=VERIFY_IDENTITY --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem前端
启用加密,并对 Zabbix 前端和数据库之间的连接进行验证:
检查数据库 TLS 加密并验证数据库证书
数据库指定的 TLS 密钥文件路径
数据库指定的 TLS CA 文件路径
数据库指定的 TLS 证书文件路径
注意,MySQL 这个选项 Database host verification 是被选中的并显示为灰色.
密码列表应当为空,以便前端和服务器可以从两端支持的列表中协商出所需的密码列表。
或者可以在此配置 /etc/zabbix/web/zabbix.conf.php:
...
// Used for TLS connection with strictly defined Cipher list.
$DB['ENCRYPTION'] = true;
$DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem';
$DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem';
$DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
$DB['VERIFY_HOST'] = true;
$DB['CIPHER_LIST'] = 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GC';
...
// 或
...
// Used for TLS connection without Cipher list defined - selected by MySQL server
$DB['ENCRYPTION'] = true;
$DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem';
$DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem';
$DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
$DB['VERIFY_HOST'] = true;
$DB['CIPHER_LIST'] = '';
...服务端
要为Zabbix服务端和数据库之间启用加密连接并进行完全验证,请配置 /etc/zabbix/zabbix_server.conf: