SSL authentication on frontend

[asharpaev]

Hello, do you plan to make SSL/TLS client authentication on the frontend? and disable non SSL connections on it?

Thank you!

[pondix]

Please check https://github.com/sysown/proxysql/wiki/SSL-Support#ssl-configuration-for-frontends for the current implementation.

[asharpaev]

You didn't understand me. I want a "peer ssl verification" feature with CRL support (if it is possible). Like here https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client

[pondix]

Something like this? https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-options.html#option_general_ssl-crl

Honestly I don't think more SSL related features are on the short term roadmap unless the implementation gets sponsored / contributed however we can leave this open :)

[asharpaev]

Like this https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-options.html#option_general_ssl-mode where ssl_mode=VERIFY_CA or ssl_mode=VERIFY_IDENTITY

• Like this https://dev.mysql.com/doc/refman/8.0/en/encrypted-connection-options.html#option_general_ssl-crl

[abg]

Feels like for front-end TLS ssl_mode is already supported - this is a client side option outside of proxysql. Maybe there is some need for CRLs (but I personally don't care about CRLs). However, some way to disable unencrypted connections to the proxysql frontend would be very desirable. That is some feature along the line of per user REQUIRE SSL ... or mysql's require_secure_transport so that I can guarantee TLS encryption at least from client <-> proxysql.

For backend connections, it is disconcerting that there's no way to enable TLS verification (or even require at least encryption for proxysql <-> backend communication). But this point is already raised in #1465.

[asharpaev]

@abg, the front-end TLS ssl_mode is partially supported because proxysql doesn't check a client certificate for now. ATM we can connect to the frontend without a client certificate, like this: mysql -u %user% -p -h %host% -P %port% I want to ban it :) proxysql should disallow a connection without these options on a client side: mysql -u %user% -p -h %host% -P %port% --ssl-cert=cert.pem --ssl-key=key.pem (--ssl-ca=ca.pem optionally if we want use ssl_mode=VERIFY_CA or VERIFY_IDENTITY on a client side )

proxysql should check client certificates and break a connection if a check is failed

[asharpaev]

@abg, like this with options --tlsverify: https://docs.docker.com/engine/security/https/

[renecannao]

That is some feature along the line of per user REQUIRE SSL

mysql_users.use_ssl provides this.

or mysql's require_secure_transport

This is surely an interesting feature request!

[abg]

mysql_users.use_ssl provides this.

👍 Thanks! I missed that feature entirely and it solves a particular requirement I had. I don't need frontend x509 support presently unlike others.

FWIW, I don't think this feature is called out in the SSL support documentation or in the blog posts I found but maybe I was not looking in the right place.

[bradjones1]

Requiring SSL for the connection is not the same as verifying a client certificate.

[bertho-zero]

I have followed the wiki and blog post about SSL frontend + backend but something is missing.

I need exactly the same as legionnet, even setting up the mysql servers correctly the certificates are not checked, but they are if I connect directly to one of the mysql servers.

[ravyn440]

+1 - I need this as well - specifically, functionality that's equivalent to MySQL's REQUIRE SUBJECT- I'm going to attempt to implement it myself, but as I look through the ProxySQL source it's difficult to estimate the level of effort required. I have this feeling it's going to be a significant undertaking.

[bertho-zero]

That is some feature along the line of per user REQUIRE SSL

mysql_users.use_ssl provides this.

or mysql's require_secure_transport

This is surely an interesting feature request!

@renecannao Instead of REQUIRE SSL we should be able to put REQUIRE X509, this forces to specify a valid certificate. How is it possible to do it?

[preethi111197]

Should custom SSL certificate for front-end connections need to follow same naming convention? Is it not allowed to have 1 pem file denoting ca in data directory?

[preethi111197]

@pondix any way to pass the password of custom certificates while restarting proxysql

[bitactive]

Is X509 client verification (REQUIRE X509) still not supported?

[renecannao]

MTLS is supported using SPIFFE . Details here