Open ivanovaleksandar opened 4 years ago
mysql_users.use_ssl
does that.
I checked the documentation, and indeed it doesn't seem well documented.
Adding documentation label to this issue.
I am trying to test this, but I there is no change in behaviour. Where should I set this option on proxysql's side?
Already tried setting mysql global var, the server and the user, but non are actually having any effects when I explicitly use --ssl-mode=DISABLED
so I can still log in without SSL.
datadir="/var/lib/proxysql"
admin_variables=
{
admin_credentials="proxysql-admin:adminpass"
mysql_ifaces="0.0.0.0:6032"
refresh_interval=2000
}
mysql_variables=
{
have_ssl=true
use_ssl=1
threads=4
max_connections=2048
default_query_delay=0
default_query_timeout=36000000
have_compress=true
poll_timeout=2000
interfaces="0.0.0.0:6033;/tmp/proxysql.sock"
default_schema="information_schema"
stacksize=1048576
server_version="5.1.30"
connect_timeout_server=10000
monitor_history=600
monitor_connect_interval=20000000
monitor_ping_interval=20000000
ping_interval_server_msec=10000
ping_timeout_server=200
commands_stats=true
sessions_sort=true
}
mysql_servers =
(
{ address="1.2.3.4" , port=3306 , hostgroup=10, max_connections=100, use_ssl = 1 }
)
mysql_users =
(
{ username = "myuser" , password = "mypass" , default_hostgroup = 10 , active = 1, use_ssl = 1 }
)
@ivanovaleksandar The equivalent of REQUIRE SSL
exists, the equivalent of REQUIRE X509
is missing.
@ivanovaleksandar I stumbled across this and it turns out you'll need to set it as part of the mysql user setup.
mysql_users:
(
{
username = "username", password = "password", default_hostgroup = 0, use_ssl = 1
}
)
@ivanovaleksandar The equivalent of
REQUIRE SSL
exists, the equivalent ofREQUIRE X509
is missing.
I wanted to point out that @ivanovaleksandar is looking for an equivalent to require_secure_transport.
@ivanovaleksandar, I can confirm that mysql_users.use_ssl is the field that forces TLS connections. See below how a plaintext connection attempt gets rejected by ProxySQL:
$ mysql ... --execute "INSERT OR REPLACE INTO mysql_users (username, password, active, default_hostgroup, use_ssl) VALUES ('alex','alex', 1, 10, 1);"
$ mysql -ualex -palex --disable-ssl
ERROR 1045 (28000): ProxySQL Error: Access denied for user 'alex' (using password: YES). SSL is required
$ mysql -ualex -palex
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 308
Server version: 8.0.25 (ProxySQL)
--disable-ssl
is the MariaDB's equivalent for MySQL's --ssl-mode=DISABLED
. I vote for closing this issue.
Is there a plan for introducing SSL enforcement for fronted connection [mysql client -> proxysql] ?
It will be very beneficial to have a bool flag for this. Similarly like require_secure_transport . Otherwise, we are relying on the client to use
--ssl-mode
.If this is already possible, then the documentation needs to be improved.