[Feature Request] Enable cert/key/ca pairing at a per instance level

[eahrend]

Hey,

In my current setup with proxysql, it's acting as the proxy to multiple instances, each with their own set of readers/writers, using the username + digest for routing to the correct backend in the mysql_query_rules. I'd like to encrypt traffic to the readers/writers using SSL, with a different cert for each group of readers/writers, however it looks like proxysql only allows on cert/key pairing to exist and uses it for all backend connections.

If doing this is an anti-pattern and not recommended, that's also acceptable.

Ideally I'd like to have something like:

mysql> SELECT * FROM ssl_variables;
+--------------------+----------------------------------------+
| id      | file_location                          | type     |
+--------------------+----------------------------------------+
| 1       | (null)                                 | ca       |
| 2       | /home/certs/one/client-cert.pem        | cert     |
| 3       | /home/certs/one/client-key.pem         | key      |
| 4       | (null)                                 | ca       |
| 5       | /home/certs/two/client-cert.pem        | cert     |
| 6       | /home/certs/two/client-key.pem         | key      |
+--------------------+----------------------------------------+

mysql> SELECT * FROM mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+----------+---------+--------+
| hostgroup_id | hostname  | port  | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms | ssl_cert | ssl_key | ssl_ca |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+----------+---------+--------+
| 1            | 127.0.0.1 | 3306  | ONLINE | 1      | 0           | 1000            | 0                   | 1       | 0              | 2        | 3       | 0      |
| 2            | 127.0.0.2 | 3306  | ONLINE | 1      | 0           | 1000            | 0                   | 1       | 0              | 5        | 6       | 0      |
| 3            | 127.0.0.3 | 3306  | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              | 0        | 0       | 0      |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+----------+---------+--------+

[eahrend]

Actually, being able to do it a per host level is a requirement to enable SSL on Google Cloud SQL, and we're using proxysql to enable read/write splitting on GCP.

Each read replica creates it's own CA/KEY/CERT upon request, see https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_ssl_cert

So ideally in the mysql_servers table we should be able to specify a cert/key/ca pairing for each hostname.

EDIT: In a worst case scenario, I can see about making a PR to enable this myself. Are there any docs for getting started in regards to developing for proxysql?

[shameemshah]

I'm also encountering with the same issue. Any guidance or help would be greatly appreciated.