Documentation
Table of Contents
1 ?????? ????? MySQL
????? ?????
???? ?? ???? ???? ??????? ?????? ????? ???? CentOS 8.2 ?-MySQL 8.0.21 ??????? ???? ?????? ?????? ????? ???? ????? ?????? ???? ???????.
::: ???? ?? ???? ?? ???? MySQL ????? ?-localhost, ???????? ?????? ?? ???? ????. ????? ?? ??? ??? Áú»¢¶Ä²© frontend ???? ??? ??????? ????? ????? socket (?-Unix) ?? ??????? ????? (?-Windows) ? ?? ???? ??????. :::
????? ?????? ???????? ???? ??????? ???? ???????? ??? ??. ???? ???? ???? ??????? ??????.
?????? ???????
???? ?? ??? ??????? ?? MySQL ???? .
??? ?????? ???? ?????? ?-MySQL repo.
??? MySQL ???? ???? ??????? ???????? ??????? ????? ????? ????????.
??? ????? ???? ??????? ??????? ?????? ?????, ???? ?? ??????? ????? ?????? (?? ?????? ?? ????? ????????):
mysql> SELECT sbt.variable_value AS tls_version, t2.variable_value ???? AS, processlist_user AS user, processlist_host AS host
FROM performance_schema.status_by_thread AS sbt
JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id
JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id
WHERE sbt.variable_name = 'Ssl_version' ?-t2.variable_name = 'Ssl_cipher'
ORDER BY tls_version;??? ????
????? MySQL
?????? ???????? ?? ??? ??????? ?????? ??????? ???? '????' ??? ?????. ? ????? ??? ???? ?????? ???? ?????? ??????? ????????.
??? ??????? ???????? ???? ??????? ????????:
mysql> ??? ?????
'zbx_srv'@'%' ????? ?? mysql_native_password ?? ??? '<strong_password>',
'zbx_web'@'%' ????? ?? mysql_native_password ?? ??? '<strong_password>'
???? SSL
????????? ??????? 5;
mysql> CREATE ROLE 'zbx_srv_role', 'zbx_web_role';
mysql> GRANT SELECT, ????, ???, ?????, ?????, ????, ?????, ??????, ?????? ?? zabbix.* TO 'zbx_srv_role';
mysql> GRANT SELECT, ????, ???, INSERT ON zabbix.* TO 'zbx_web_role';
mysql> GRANT 'zbx_srv_role' TO 'zbx_srv'@'%';
mysql> GRANT 'zbx_web_role' TO 'zbx_web'@'%';
mysql> SET DEFAULT ROLE 'zbx_srv_role' TO 'zbx_srv'@'%';
mysql> SET DEFAULT ROLE 'zbx_web_role' TO 'zbx_web'@'%';???? ??, ???????? X.509 ???? ???? ?????? ????, ??? ?? ?????? ????? ?????? ?? ???????? ???????. ??? ?????? ?????? ?? ????? ???????.
???? ??? ????? ????? (?? ???? ?????? ?????? ??? ?????? ?????? ???????):
???? ?? ???? ?????? ??? ?????? ????? ???????:
??? mysql>
--------------
mysql ???? 8.0.21 ???? ?????? ?-x86_64 (??? ????? MySQL - GPL)
???? ?????: 62
??? ?????? ?????:
????? ?????: [email protected]
SSL: ????? ?????? ??? TLS_AES_256_GCM_SHA384
mysql> ??? ????? ????? ??? 'Ssl_cipher_list'\G;
*** 1. ???? **
Variable_name: Ssl_cipher_list
RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCMD-SHA256:AES128-GCMD-SHA256 SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-DHE25AES:SHA25A GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE128-A SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA:AES128-GCM-SHA256:AES256-GCM-SHA3684:ASHAES2156:A2684:AES2684:A2684:A2684:A2684:A2684 AES128-SHA
???? ??? ??? (0.00 ?????)
?????????:
?? ????? ???????????
??? ????? ????? ??????? ???? ???? ??????? ??? Áú»¢¶Ä²© ???? ??? ???? ???????:
- ???? ????? TLS ?? ??? ??????
- ???? ?? ??? ????? ??? ?????? ?? ?????
???
??? ????? ????? ??????? ???? ???? ??????? ??? ??? ?- ?? ??? ???????, ???? ?? /etc/zabbix/zabbix_server.conf:
...
DBHost=10.211.55.9
DBName=zabbix
DBUser=zbx_srv
DBPassword=<strong_password>
DBTLSConnect=????
...??? ?? ??? CA
???? ?? ?-MySQL CA ????? ???? ????? ?? Áú»¢¶Ä²©, ???? ???? ?????? ????? ???? ???????? ????? ???? ??.
???? ???? CA ?? ???? ?? SLES 12 ?-RHEL 7 ??? ?????? MySQL ????? ????.
?????
??? ????? ????? ?? ????? ????? ???? ??????? ??? ???? Áú»¢¶Ä²© ???? ???????:
- ???? ????? ??? ?????? TLS ?-??? ?? ????? ??? ???????
- ???? ???? ????? TLS CA ?? ??? ??????
???????, ???? ?????? ??? ?-/etc/zabbix/web/zabbix.conf.php:
...
$DB['ENCRYPTION'] = ????;
$DB['KEY_FILE'] = '';
$DB['CERT_FILE'] = '';
$DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
$DB['VERIFY_HOST'] = false;
$DB['CIPHER_LIST'] = '';
...????? ????? ?? ????? ??????? ??? ???? ?????? ??? ????? ?? ?????? ???? ????? ???? ?????? ?????:
???
??? ????? ????? ?? ????? ????? ???? ??????? ??? ??? Áú»¢¶Ä²© ???? ???????, ???? /etc/zabbix/zabbix_server.conf:
...
DBHost=10.211.55.9
DBName=zabbix
DBUser=zbx_srv
DBPassword=<strong_password>
DBTLSConnect=verify_ca
DBTLSCAFile=/etc/ssl/mysql/ca.pem
...??? ??? ???
????? MySQL
???? ?????? ????? ??? MySQL CE (/etc/my.cnf.d/server-tls.cnf) ??:
[mysqld]
...
# ???????? ??? ?????? ??????? ??????? MySQL CE datadir
ssl_ca=ca.pem
ssl_cert=server-cert.pem
ssl_key=server-key.pem
require_secure_transport=????
tls_version=TLSv1.3
...?????? ???? ??? ????? MySQL CE (???? Áú»¢¶Ä²©) ?????? ????? ???? ????? ???? ??? ????? MySQl CE: ???
::: ???? ?? ???? ????? ??? MySQL ???? ????? ?? ??? Common Name ????? ??? FQDN ??? ???? Áú»¢¶Ä²© ????? ?- ?? DNS ??????? ?? ??? ??????? ?? ????? ?-IP ?? ??? ??????? ????. :::
??? ????? MySQL:
mysql> ??? ?????
'zbx_srv'@'%' ????? ?? mysql_native_password ?? ??? '<strong_password>',
'zbx_web'@'%' ????? ?? mysql_native_password ?? ??? '<strong_password>'
???? X509
????????? ??????? 5;???? ?? ???? ?????? ?? ???? ?????:
$ mysql -u zbx_web -p -h 10.211.55.9 --ssl-mode=VERIFY_IDENTITY --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client- cert.pem --ssl-key=/var/lib/mysql/client-key.pem?????
??? ????? ????? ?? ????? ??? ???????? ??? ???? ?-Zabix ???? ???????:
- ???? ?? ????? TLS ?? ??? ?????? ???? ?? ????? ??? ???????
- ???? ???? ????? ???? TLS ?? ??? ??????
- ???? ???? ????? TLS CA ?? ??? ??????
- ???? ???? ????? ?????? ?? ??? ?????? TLS
???? ??, ????? ???? ??? ?????? ????? ?????? - ?? ?? ???? ???? ?? ???? ???? MySQL.
::: ???? ????? ????? ?????? ???? ????? ???, ?? ????? ???? ????? ????? ???? ??? ???? ?? ??? ????? ?????? ?? ??? ??? ??????. :::
???????, ???? ?????? ??? ?-/etc/zabbix/web/zabbix.conf.php:
...
// ???? ?????? TLS ?? ????? ???? ?????? ???????.
$DB['ENCRYPTION'] = ????;
$DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem';
$DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem';
$DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
$DB['VERIFY_HOST'] = ????;
-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GC';
...
// ??
...
// ???? ?????? TLS ??? ????? ???? ?????? - ???? ?? ??? ??? MySQL
$DB['ENCRYPTION'] = ????;
$DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem';
$DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem';
$DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem';
$DB['VERIFY_HOST'] = ????;
$DB['CIPHER_LIST'] = '';
...???
??? ????? ????? ?? ????? ??? ???????? ??? ??? Áú»¢¶Ä²© ???? ???????, ???? /etc/zabbix/zabbix_server.conf: