triadadrug.blogg.se - Stunnel with myslq

#Stunnel with myslq install#
#Stunnel with myslq update#
#Stunnel with myslq software#

The client does not require a SSL certificate create the client oriented config file that accepts a connection on local port 3307 and talks to the remote stunnel on 3307: /etc/stunnel/nf chroot = /var/run/stunnel4 Assuming MariaDB is up and running, start and enable the stunnel service: systemctl start stunnel Tailor the ACL on your firewall(s) as needed to meet your desired security posture. Last, as appropriate open up an iptables/firewalld/ufw rule that allows the client to connect on port 3307 a very basic iptables rule with no port restrictions would look like: -A INPUT -p tcp -m tcp -s 9.8.7.6 -dport 3307 -j ACCEPT # stunnel 4.56 (CentOS 7) supports both TLSv1 and TSLv1.2 # stunnel 4.53 (Ubuntu 14) only supports TSLv1 not TLSv1.2 Next, create the stunnel server oriented config file in our example we're using MariaDB so we'll choose the ports accordingly to have stunnel accept the connection on the public IP port 3307, then pass the connection to the localhost port 3306: /etc/stunnel/nf chroot = /var/run/stunnel openssl req -new -newkey rsa:2048 -days 3650 \ Ubuntu creates the stunnel4 user and group, and /var/run/stunnel4 directory as part of the package.įirst, create a basic self-signed certificate to use on the server if a real SSL cert is available from a certificate authority it can be used, however a self-signed cert works for the basic point-to-point setup.

#Stunnel with myslq update#

Next, update /etc/default/stunnel4 to enable it at boot: sed -i -e 's/^ENABLED=0/ENABLED=1/' /etc/default/stunnel4

#Stunnel with myslq install#

Lastly, create the systemd unit file to run stunnel as a service: cat /etc/systemd/system/rviceĭescription=SSL tunnel for network daemonsįirst install the base package: apt-get update & apt-get install stunnel # the tmpfiles.d configuration to recreate the directory on reboot:Įcho "d /var/run/stunnel 0770 stunnel stunnel -" > /etc/tmpfiles.d/nf

Useradd -r -m -d /var/run/stunnel -s /bin/false stunnel

#Stunnel with myslq software#

Next, create a user and directories to run the software - on this platform the RPM package does not create the user or directories: # the user and directory for immediate use: RHEL / CentOS 7 as Serverįirst install the base package: yum install stunnel In these examples with CentOS 7 and Ubuntu 14 the package is readily available for both in the base repositories. The stunnel package may be a part of the base distribution or it may be required to use a third party repository such as EPEL or a PPA to obtain. MariaDB traffic will travel over the stunnel proxy, so they should not listen on the public IPs for security best practices. stanza on the slave to match the user created in note 1

Remember to use MASTER_HOST='localhost' in your CHANGE MASTER TO.

For both master and slave MariaDB instances, implement bind-address = 127.0.0.1 to lock the daemons to localhost.

stanza for the user, use not the actual IP of the remote slave like you would normally.

On the MariaDB master GRANT REPLICATION SLAVE ON.

This wiki will not cover setting up MariaDB replication as it's a standard, by the book process however two notes: Two different Linux distributions will be used to verify the technology is agnostic.Īctual public IPs would be used in implementation as appropriate. One server is located in one area of the USA, the second server in another USA region, and standard public IPv4 networking to connect the two servers. In this wiki, a traditional MariaDB replication configuration will be used to exemplify use as compatible version 5.5.x is available on both distributions. The daemon software connects to a localhost port, the connection is proxied over the SSL tunnel, then handed to the server localhost port as defined. One (or more) endpoint is run in server mode, the other endpoint is run in client mode. Stunnel is a SSL proxy designed to add TLS encryption to existing clients and servers without changes to the daemon's themselves.