[comment]: # translation:outdated [comment]: # ({f745f323-f745f323}) # 1 MySQL加密配置 [comment]: # ({/f745f323-f745f323}) [comment]: # ({f87c5964-f87c5964}) ### 概述 本文将以CentOS 8.2和MySQL 8.0.21为例,介绍如何配置数据库加密连接。 ::: noteimportant 如果MySQL主机设置为localhost,加密选项将是不可用,这种情况下,Zabbix前端和数据库之间使用socket文件连接(在Unix上)或共享内存(在Windows上),所以不能加密。 ::: ::: noteclassic 加密组合列表不限于本页列出的。还有更多组合可供选择。 ::: [comment]: # ({/f87c5964-f87c5964}) [comment]: # ({30b5ee7b-30b5ee7b}) ### 先决条件 安装MySQL请参照 [official repository](https://dev.mysql.com/downloads/repo/yum/). 有关如何使用 MySQL 存储库的详细信息 请参照[MySQL documentation](https://dev.mysql.com/doc/mysql-yum-repo-quick-guide/en/) MySQL服务器已准备好使用自签名证书接受安全连接. 若想查看哪些用户正在使用加密连接,请运行以下查询 (Performance Schema 选项应打开): mysql> SELECT sbt.variable_value AS tls_version, t2.variable_value AS cipher, processlist_user AS user, processlist_host AS host FROM performance_schema.status_by_thread AS sbt JOIN performance_schema.threads AS t ON t.thread_id = sbt.thread_id JOIN performance_schema.status_by_thread AS t2 ON t2.thread_id = t.thread_id WHERE sbt.variable_name = 'Ssl_version' and t2.variable_name = 'Ssl_cipher' ORDER BY tls_version; [comment]: # ({/30b5ee7b-30b5ee7b}) [comment]: # ({fda36821-fda36821}) ### 所需模式 [comment]: # ({/fda36821-fda36821}) [comment]: # ({7526c47e-9ebeae19}) #### MySQL 配置 当前版本数据库的加密模式已经可以开箱即用 [encryption mode](/manual/appendix/install/db_encrypt#terminology). 将在初始设置及启动后创建服务器端证书. 为主要组件创建用户和角色: mysql> CREATE USER 'zbx_srv'@'%' IDENTIFIED WITH mysql_native_password BY '', 'zbx_web'@'%' IDENTIFIED WITH mysql_native_password BY '' REQUIRE SSL PASSWORD HISTORY 5; mysql> CREATE ROLE 'zbx_srv_role', 'zbx_web_role'; mysql> GRANT SELECT, UPDATE, DELETE, INSERT, CREATE, DROP, ALTER, INDEX, REFERENCES ON zabbix.* TO 'zbx_srv_role'; mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON zabbix.* TO 'zbx_web_role'; mysql> GRANT 'zbx_srv_role' TO 'zbx_srv'@'%'; mysql> GRANT 'zbx_web_role' TO 'zbx_web'@'%'; mysql> SET DEFAULT ROLE 'zbx_srv_role' TO 'zbx_srv'@'%'; mysql> SET DEFAULT ROLE 'zbx_web_role' TO 'zbx_web'@'%'; 注意, X.509 协议不检查标识, 但会将用户设置为仅使用加密连接。配置用户的更多详细信息请参阅MySQL文档 [MySQL documentation](https://dev.mysql.com/doc/refman/8.0/en/create-user.html#create-user-tls)。 运行如下命令以检查连接(socket连接不能用于安全连接测试): $ mysql -u zbx_srv -p -h 10.211.55.9 --ssl-mode=REQUIRED 检查当前状态和可用的密码套件: mysql> status -------------- mysql Ver 8.0.21 for Linux on x86_64 (MySQL Community Server - GPL) Connection id: 62 Current database: Current user: zbx_srv@bfdb.local SSL: Cipher in use is TLS_AES_256_GCM_SHA384 mysql> SHOW SESSION STATUS LIKE 'Ssl_cipher_list'\G; *************************** 1. row *************************** Variable_name: Ssl_cipher_list Value: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:CAMELLIA128-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA 1 row in set (0.00 sec) ERROR: No query specified [comment]: # ({/7526c47e-9ebeae19}) [comment]: # ({68afdcc8-68afdcc8}) #### 前端 要为 Zabbix 前端和数据库之间的连接建立传输加密,请执行以下操作: - 勾选 *Database TLS encryption* - 取消勾选 *Verify database certificate* ![](../../../../../assets/en/manual/appendix/install/encrypt_db_transport.png){width="600"} [comment]: # ({/68afdcc8-68afdcc8}) [comment]: # ({99c0e65b-99c0e65b}) #### 服务端 要为服务端和数据库之间启用连接传输加密,请修改该文件 */etc/zabbix/zabbix\_server.conf*: ... DBHost=10.211.55.9 DBName=zabbix DBUser=zbx_srv DBPassword= DBTLSConnect=required ... [comment]: # ({/99c0e65b-99c0e65b}) [comment]: # ({7dc72c97-fa9ec203}) ### 验证 CA 模式 将所需的MySQL CA复制到Zabbix前端服务器,分配适当的权限以允许Web服务器读取此文件。 ::: noteclassic *Verify CA* 模式在 SLES 12 and RHEL 7 不会生效,因为所在系统的 MySQL 库过老. ::: [comment]: # ({/7dc72c97-fa9ec203}) [comment]: # ({7da64fed-9776435f}) 使用证书验证为 Zabbix 前端和数据库之间的连接启用加密: - 勾选*Database TLS encryption* 和 *Verify database certificate* - 指定数据库 TLS CA 文件的路径 ![](../../../../../assets/en/manual/appendix/install/encrypt_db_verify_ca.png){width="600"} 或者,可以在 */etc/zabbix/web/zabbix.conf.php* 配置: ... $DB['ENCRYPTION'] = true; $DB['KEY_FILE'] = ''; $DB['CERT_FILE'] = ''; $DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem'; $DB['VERIFY_HOST'] = false; $DB['CIPHER_LIST'] = ''; ... 使用命令行工具对用户进行故障排除,以检查所需用户是否可以连接: $ mysql -u zbx_web -p -h 10.211.55.9 --ssl-mode=REQUIRED --ssl-ca=/var/lib/mysql/ca.pem [comment]: # ({/7da64fed-9776435f}) [comment]: # ({a7a54f92-a7a54f92}) #### 服务端 要为Zabbix服务器和数据库之间的连接启用加密和证书验证,请配置 */etc/zabbix/zabbix\_server.conf*: ... DBHost=10.211.55.9 DBName=zabbix DBUser=zbx_srv DBPassword= DBTLSConnect=verify_ca DBTLSCAFile=/etc/ssl/mysql/ca.pem ... [comment]: # ({/a7a54f92-a7a54f92}) [comment]: # ({fa5d4760-fa5d4760}) ### 验证完整模式 [comment]: # ({/fa5d4760-fa5d4760}) [comment]: # ({3839944c-22fb0ddd}) #### MySQL 配置 MySQL CE 请参考如下配置 (*/etc/my.cnf.d/server-tls.cnf*) : [mysqld] ... # in this examples keys are located in the MySQL CE datadir directory ssl_ca=ca.pem ssl_cert=server-cert.pem ssl_key=server-key.pem require_secure_transport=ON tls_version=TLSv1.3 ... MySQL CE服务器和客户端(Zabbix前端)的密钥应根据MySQl CE文档手动创建:[Creating SSL and RSA certificates and keys using MySQL](https://dev.mysql.com/doc/refman/8.0/en/creating-ssl-rsa-files-using-mysql.html) or [Creating SSL certificates and keys using openssl](https://dev.mysql.com/doc/refman/5.7/en/creating-ssl-files-using-openssl.html) ::: noteimportant MySQL服务器证书应设置为包含FQDN的名称,因为Zabbix前端将使用域名与数据库或数据库主机的IP地址进行通信。 ::: 创建MySQL用户: mysql> CREATE USER 'zbx_srv'@'%' IDENTIFIED WITH mysql_native_password BY '', 'zbx_web'@'%' IDENTIFIED WITH mysql_native_password BY '' REQUIRE X509 PASSWORD HISTORY 5; 检查是否可使用该用户登录: $ mysql -u zbx_web -p -h 10.211.55.9 --ssl-mode=VERIFY_IDENTITY --ssl-ca=/var/lib/mysql/ca.pem --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem [comment]: # ({/3839944c-22fb0ddd}) [comment]: # ({122f0dcc-2f3a5c57}) #### 前端 启用加密,并对 Zabbix 前端和数据库之间的连接进行验证: - 检查数据库 TLS 加密并验证数据库证书 - 数据库指定的 TLS 密钥文件路径 - 数据库指定的 TLS CA 文件路径 - 数据库指定的 TLS 证书文件路径 注意,MySQL 这个选项 *Database host verification* 是被选中的并显示为灰色. ::: notewarning 密码列表应当为空,以便前端和服务器可以从两端支持的列表中协商出所需的密码列表。 ::: ![](../../../../../assets/en/manual/appendix/install/encrypt_db_verify_full1.png) 或者可以在此配置 */etc/zabbix/web/zabbix.conf.php*: ... // Used for TLS connection with strictly defined Cipher list. $DB['ENCRYPTION'] = true; $DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem'; $DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem'; $DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem'; $DB['VERIFY_HOST'] = true; $DB['CIPHER_LIST'] = 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GC'; ... // 或 ... // Used for TLS connection without Cipher list defined - selected by MySQL server $DB['ENCRYPTION'] = true; $DB['KEY_FILE'] = '/etc/ssl/mysql/client-key.pem'; $DB['CERT_FILE'] = '/etc/ssl/mysql/client-cert.pem'; $DB['CA_FILE'] = '/etc/ssl/mysql/ca.pem'; $DB['VERIFY_HOST'] = true; $DB['CIPHER_LIST'] = ''; ... [comment]: # ({/122f0dcc-2f3a5c57}) [comment]: # ({c0090000-c0090000}) #### 服务端 要为Zabbix服务端和数据库之间启用加密连接并进行完全验证,请配置 */etc/zabbix/zabbix\_server.conf*: ... DBHost=10.211.55.9 DBName=zabbix DBUser=zbx_srv DBPassword= DBTLSConnect=verify_full DBTLSCAFile=/etc/ssl/mysql/ca.pem DBTLSCertFile=/etc/ssl/mysql/client-cert.pem DBTLSKeyFile=/etc/ssl/mysql/client-key.pem ... [comment]: # ({/c0090000-c0090000})