Mysql 5.7 开启 SSL
1: 生成证书、公私钥,执行 mysql/bin 目录下的:
/usr/local/mysql/bin/mysql_ssl_rsa_setup --datadir=/usr/local/mysql/ssl
注:
--datadir参数指定生成出来的证书、公私钥放在哪个目录下
2:编辑 my.cnf,在 mysqld 下加入以下内容,用于指定 Mysql Server 端使用的 证书、私钥地址:
ssl-ca = /usr/local/mysql/ssl/ca.pem
ssl-cert = /usr/local/mysql/ssl/server-cert.pem
ssl-key = /usr/local/mysql/ssl/server-key.pem
注:查找
my.cnf位置:mysql --help|grep 'my.cnf'
3:重启 Mysql,执行以下命令,查看 Mysql 是否成功开启 SSL:
show variables like '%ssl%'
若 have_ssl 等于 YES,表示成功开启 SSL
4:将指定用户设置为必须通过 SSL 连接:
alter user 'username'@'%' require ssl;
5:命令行通过 SSL 连接 Mysql:
mysql -uusername -ppassword --ssl-ca=/usr/local/mysql/ssl/ca.pem --ssl-cert=/usr/local/mysql/ssl/client-cert.pem --ssl-key=/usr/local/mysql/ssl/client-key.pem
Laravel 连接 Mysqls 配置:
'mysql' => [
'driver' => 'mysql',
...
'options' => [
PDO::MYSQL_ATTR_SSL_VERIFY_SERVER_CERT => false,
PDO::MYSQL_ATTR_SSL_KEY => '/Users/cann/home/wwwroot/ai_loan_kbb_server/config/certs/mysql/client-key.pem',
PDO::MYSQL_ATTR_SSL_CERT => '/Users/cann/home/wwwroot/ai_loan_kbb_server/config/certs/mysql/client-cert.pem',
PDO::MYSQL_ATTR_SSL_CA => '/Users/cann/home/wwwroot/ai_loan_kbb_server/config/certs/mysql/ca.pem',
],
],
注1:若没有将自生成的CA证书放到服务器的证书信任列表,则必须关闭 MYSQL_ATTR_SSL_VERIFY_SERVER_CERT
注2:证书、公钥路径必须为绝对路径