Enforce SSL for frontend connections

sysown / proxysql

High-performance MySQL proxy with a GPL license.

http://www.proxysql.com

GNU General Public License v3.0

5.96k stars 972 forks source link

Enforce SSL for frontend connections #3018

Open ivanovaleksandar opened 4 years ago

ivanovaleksandar commented 4 years ago

Is there a plan for introducing SSL enforcement for fronted connection [mysql client -> proxysql] ?

It will be very beneficial to have a bool flag for this. Similarly like require_secure_transport . Otherwise, we are relying on the client to use --ssl-mode.

If this is already possible, then the documentation needs to be improved.

renecannao commented 4 years ago

mysql_users.use_ssl does that. I checked the documentation, and indeed it doesn't seem well documented. Adding documentation label to this issue.

ivanovaleksandar commented 4 years ago

I am trying to test this, but I there is no change in behaviour. Where should I set this option on proxysql's side?

Already tried setting mysql global var, the server and the user, but non are actually having any effects when I explicitly use --ssl-mode=DISABLED so I can still log in without SSL.

datadir="/var/lib/proxysql"
admin_variables=
{
  admin_credentials="proxysql-admin:adminpass"
  mysql_ifaces="0.0.0.0:6032"
  refresh_interval=2000
}
mysql_variables=
{
  have_ssl=true
  use_ssl=1 
  threads=4
  max_connections=2048
  default_query_delay=0
  default_query_timeout=36000000
  have_compress=true
  poll_timeout=2000
  interfaces="0.0.0.0:6033;/tmp/proxysql.sock"
  default_schema="information_schema"
  stacksize=1048576
  server_version="5.1.30"
  connect_timeout_server=10000
  monitor_history=600
  monitor_connect_interval=20000000
  monitor_ping_interval=20000000
  ping_interval_server_msec=10000
  ping_timeout_server=200
  commands_stats=true
  sessions_sort=true
}
mysql_servers =
(
  { address="1.2.3.4" , port=3306 , hostgroup=10, max_connections=100, use_ssl = 1 }
)
mysql_users =
(
  { username = "myuser" , password = "mypass" , default_hostgroup = 10 , active = 1, use_ssl = 1  }
)

bertho-zero commented 4 years ago

@ivanovaleksandar The equivalent of REQUIRE SSL exists, the equivalent of REQUIRE X509 is missing.

gowrizrh commented 1 year ago

@ivanovaleksandar I stumbled across this and it turns out you'll need to set it as part of the mysql user setup.

mysql_users:
(
    {
        username = "username", password = "password", default_hostgroup = 0, use_ssl = 1
    }
)

kasabov commented 11 months ago

@ivanovaleksandar The equivalent of REQUIRE SSL exists, the equivalent of REQUIRE X509 is missing.

I wanted to point out that @ivanovaleksandar is looking for an equivalent to require_secure_transport.

@ivanovaleksandar, I can confirm that mysql_users.use_ssl is the field that forces TLS connections. See below how a plaintext connection attempt gets rejected by ProxySQL:

$ mysql ... --execute "INSERT OR REPLACE INTO mysql_users (username, password, active, default_hostgroup, use_ssl) VALUES ('alex','alex', 1, 10, 1);"
$ mysql -ualex -palex --disable-ssl
ERROR 1045 (28000): ProxySQL Error: Access denied for user 'alex' (using password: YES). SSL is required
$ mysql -ualex -palex
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 308
Server version: 8.0.25 (ProxySQL)

--disable-ssl is the MariaDB's equivalent for MySQL's --ssl-mode=DISABLED. I vote for closing this issue.