Client to ProxySQL SSL solutions?

[aaron.i...@gmail.com]

Hi,

I need to have SSL between our client servers and ProxySQL.  Our current setup uses MySQL SSL connections between our client servers and MySQL.  This fails, of course, with the introduction of ProxySQL, because it only handles SSL between it and MySQL.  I have that SSL configuration working fine, but I'm wondering what are the best options to fill my SSL gap.  I understand that we will need to stop using our current MySQL SSL connections for this to work, which is fine as long as we have an alternative.

The options I know of are things like stunnel and SSH tunneling.  HAProxy sounds like it's an option but haven't been able to understand how that works as of yet.  Another option I heard of, along the same lines, is NGinx acting as an SSL proxy, but I'm a bit clueless on that front.

Our client servers are a mixed OS environment, we have Windows, CentOS and some flavour of Debian.  stunnel seems like a good choice here because there are installable binaries readily available for Windows and Linux, but that introduces a bit of a configuration and monitoring headache.  SSH tunneling is a better performance choice to stunnel, but has the same caveat.  Every example I've tried to get my head around for HAProxy SSL has seemed like black magic.  We have an NGinx SSL proxy in place for something else, so using that should save some effort, but it's not something I've used or looked at.

Any suggestions and or recommendations would be greatly appreciated.

Thanks,

Aaron

[René Cannaò]

Aaron,

unfortunately my feedback on this one will be very short, as I have no experience with HAProxy SSL or NGINX SSL .

SSH tunneling and stunnel sounds like easy approach.

What is your architecture? Running ProxySQL on the client will remove the need of SSL as it can use unix socket domain, but it will still be problematic for Windows clients.

Unfortunately, although support for SSL on client connections is in the roadmap, there is no ETA for it.

Thanks,

René

--
You received this message because you are subscribed to the Google Groups "proxysql" group.
To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[aaron.i...@gmail.com]

Hi René,

Thanks for the quick response.

Yeah, my problem with ProxySQL on the client is that some of our client servers are running Windows, or else I'd go that route.

Sadly my own experience with proxying anything is minimal.

I'm in the process of researching a solution for this and figured I'd post here in hopes of encountering either a simple solution or alternatives to what I have been looking at.

The NGinx SSL proxy solution seems simple and straight forward enough based on what I've seen so far.    A bit of testing will verify that.

I'll post back with a summary of whatever I end up going with in the hope it can help anyone else between now and when the proper client SSL implementation comes about in ProxySQL.

Thanks,

Aaron

To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+u...@googlegroups.com.

[aaron.i...@gmail.com]

This appears to be working, though the link I provided previously is for setting up an SSL proxy when a an SSL Termination is what's needed.

In my scenario, we have nginx and ProxySQL running on the same server which is sitting between the client servers and the database.

Here's a better link for setting an SSL Termination in nginx which I use for the inbound SSL client connection before the local handoff to ProxySQL.

In my case I have nginx setup with

stream {

    upstream backend {
         server 127.0.0.1:3308;
   }

    server {
        listen     3306;
        proxy_pass backend;

        ssl_certificate         /etc/ssl/certs/server-cert.pem;
        ssl_certificate_key     /etc/ssl/certs/server-key.pem;
        ssl_protocols           SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers             HIGH:!aNULL:!MD5;

    }
}

and ProxySQL listening for connections on 127.0.0.1:3308.

This was definitely the easiest setup for me to understand.

Cheers,

Aaron

[René Cannaò]

Aaron,

Can you blog about it? :-)

Others my find it useful.

Thanks,

René

To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+unsubscribe@googlegroups.com.

[jpa...@resultsgeneration.com]

It would be nice to know if it really did work. What was posted for configs will not have Nginx using SSL, I tested it and MySQL falls back to non-encrypted with those configs. When I add "ssl" after the port on the listen line the MySQL client does not seem to understand the response and does not continue the SSL handshake. Not sure what to do to fix it as I have tried everything I can think of and cannot seem to even find any logging related to this, the only way I was able to confirm what is happening is by running packet captures. I would really like a setup like this, not only for ProxySQL, but also just to have SSL offloaded from MySQL servers and to be able to update and change SSL configuration without having to take everything down and restart MySQL.

[Aaron Morand]

Greetings,

When I tested this, I created a test user which could only connect via SSL to ensure it worked.
CREATE USER 'ssl_tester'@'%' REQUIRE SSL;

This way I knew it was enforcing SSL and that it will not work without it.

Perhaps you'd could share a bit more information to help me get a clearer picture of your setup and test case?

From what you're describing, it sounds like either you're server isn't configured for SSL or that perhaps there is something wrong with the certificate and/or key files there.

Cheers,

Aaron
 

[Jeff Parker]

Here is what I believe is going on with your setup.

 

1. You have a user that requires SSL.
2. ProxySQL connects to your MySQL server over SSL which satisfies this
3. The connection from ProxySQL to Nginx is unencrypted and client to Nginx is unencrypted.

 

The reason I think this is the case is because REQUIRE SSL is handled by the MySQL server and requires the server to handle the SSL handshake. In your attempted setup Nginx is supposed to be handling it which would not be seen as encrypted by the MySQL server or ProxySQL. Also without the ssl keyword in the Nginx config the stream is not going to be performing the SSL handshake.

 

This can be tested by setting the client to require SSL (I am on MySQL 5.6 which is “—ssl-mode=REQUIRED” on the command line)

[Aaron Morand]

Sorry, I haven't looked at this in some time and am not using this configuration.  You're right, using REQUIRE SSL on the user would only guarantee the connection between ProxySQL and the MySQL server would be under SSL.

The configuration I had was this :

MySQL Client ( Web Server ) connecting to a local instance of Nginx, insecure, but only locally.
I used SSL via Nginx to get SSL between the Client and ProxySQL.

Forcing your client connection to use SSL will fail as ProxySQL doesn't (or didn't when I was testing this) support SSL client side connections.

This was all a workaround to get full SSL coverage between the client and the server through ProxySQL.

Cheers,

Aaron

[Ka'i Kau]

Bump. 

As of now, is this the recommended method for client SSL, or is v2.0.0 without enough issues that it is worth using?

Thanks in advance

[René Cannaò]

ProxySQL 2.0.0 does support client-side SSL .

Thanks

To unsubscribe from this group and stop receiving emails from it, send an email to proxysql+unsubscribe@googlegroups.com.

[Ka'i Kau]