nginx ssl proxy for mysql
Posted by BMX
|
nginx ssl proxy for mysql January 28, 2024 07:14AM |
Registered: 2 years ago Posts: 6 |
I successfully configured nginx as proxy for raw TCP connection and MQTT broker which handles SSL/TLS connection. In other words, nginx makes the SSL handshake and decryption and TCP/MQTT server/broker works in non-ssl mode. Following is configuration in short:
stream {
# raw TCP stream
server {
listen 6000 ssl;
proxy_pass 127.0.0.1:6001;
}
# MQTT
server {
listen 8883 ssl;
proxy_pass 127.0.0.1:1883;
}
}
I want to make the same with MySQL server but for some reason it is not working. I know MySQL server has SSL support but I want to do it in nginx proxy and forward traffic unencrypted to port 3306.
stream {
# raw TCP stream
server {
listen 6000 ssl;
proxy_pass 127.0.0.1:6001;
}
# MQTT
server {
listen 8883 ssl;
proxy_pass 127.0.0.1:1883;
}
}
I want to make the same with MySQL server but for some reason it is not working. I know MySQL server has SSL support but I want to do it in nginx proxy and forward traffic unencrypted to port 3306.
|
Re: nginx ssl proxy for mysql February 08, 2024 07:24PM |
Registered: 2 months ago Posts: 5 |
To configure NGINX as an SSL proxy for a MySQL server, similar to how you've done for raw TCP and MQTT, you'll need to set up an SSL/TLS termination proxy within the NGINX stream context. This setup allows NGINX to handle the SSL handshake and decryption, then forward the unencrypted traffic to the MySQL server listening on a non-SSL port (default is 3306).
Your existing configuration for raw TCP and MQTT looks correct, and you can extend this approach for MySQL. However, there are a few nuances to consider when proxying database protocols like MySQL, as they can be more complex and sensitive to network behaviors than simpler TCP or MQTT protocols.
Here's a basic configuration to get you started with NGINX as an SSL proxy for MySQL:
nginx
Copy code
stream {
# Existing configurations for raw TCP and MQTT...
# MySQL SSL Proxy Configuration
server {
listen 6443 ssl; # Listening on port 6443 for SSL MySQL connections
proxy_pass 127.0.0.1:3306; # Forwarding to the local MySQL server on its default port
# SSL Configuration
ssl_certificate /path/to/ssl_certificate.pem; # Path to your SSL certificate
ssl_certificate_key /path/to/ssl_certificate_key.pem; # Path to your SSL certificate key
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
# Strong SSL Security Settings (adjust according to your security policy)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
}
Important Considerations:
Port Selection: The listen directive specifies the port NGINX will use to accept SSL connections for MySQL. Port 6443 is used here as an example, but you can choose any appropriate port that's not in use by another service.
SSL Certificates: You must specify your SSL certificate and key files using ssl_certificate and ssl_certificate_key directives. Ensure these are correctly set up and point to valid files.
SSL Parameters: Adjust the SSL settings (ssl_protocols, ssl_ciphers, etc.) according to your security requirements and compliance standards. The example above uses strong security settings, but these should be tailored to your specific needs.
MySQL Client Configuration: Ensure that MySQL clients are configured to connect using SSL and point to the NGINX proxy port (e.g., 6443 in this example) rather than directly to the MySQL server's port (3306).
Testing and Troubleshooting: After applying the configuration, restart NGINX and test the setup using a MySQL client that supports SSL connections. If you encounter issues, check NGINX's error logs (error.log) for clues and ensure that the MySQL server is configured to accept connections on 127.0.0.1:3306.
Security: By decrypting SSL at the proxy, traffic between NGINX and the MySQL server will be unencrypted. Ensure that this communication happens in a secure network environment to prevent unauthorized access.
This configuration should serve as a starting point. Depending on your environment and requirements, further tuning and adjustments might be necessary.
Your existing configuration for raw TCP and MQTT looks correct, and you can extend this approach for MySQL. However, there are a few nuances to consider when proxying database protocols like MySQL, as they can be more complex and sensitive to network behaviors than simpler TCP or MQTT protocols.
Here's a basic configuration to get you started with NGINX as an SSL proxy for MySQL:
nginx
Copy code
stream {
# Existing configurations for raw TCP and MQTT...
# MySQL SSL Proxy Configuration
server {
listen 6443 ssl; # Listening on port 6443 for SSL MySQL connections
proxy_pass 127.0.0.1:3306; # Forwarding to the local MySQL server on its default port
# SSL Configuration
ssl_certificate /path/to/ssl_certificate.pem; # Path to your SSL certificate
ssl_certificate_key /path/to/ssl_certificate_key.pem; # Path to your SSL certificate key
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
# Strong SSL Security Settings (adjust according to your security policy)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
}
Important Considerations:
Port Selection: The listen directive specifies the port NGINX will use to accept SSL connections for MySQL. Port 6443 is used here as an example, but you can choose any appropriate port that's not in use by another service.
SSL Certificates: You must specify your SSL certificate and key files using ssl_certificate and ssl_certificate_key directives. Ensure these are correctly set up and point to valid files.
SSL Parameters: Adjust the SSL settings (ssl_protocols, ssl_ciphers, etc.) according to your security requirements and compliance standards. The example above uses strong security settings, but these should be tailored to your specific needs.
MySQL Client Configuration: Ensure that MySQL clients are configured to connect using SSL and point to the NGINX proxy port (e.g., 6443 in this example) rather than directly to the MySQL server's port (3306).
Testing and Troubleshooting: After applying the configuration, restart NGINX and test the setup using a MySQL client that supports SSL connections. If you encounter issues, check NGINX's error logs (error.log) for clues and ensure that the MySQL server is configured to accept connections on 127.0.0.1:3306.
Security: By decrypting SSL at the proxy, traffic between NGINX and the MySQL server will be unencrypted. Ensure that this communication happens in a secure network environment to prevent unauthorized access.
This configuration should serve as a starting point. Depending on your environment and requirements, further tuning and adjustments might be necessary.
|
Re: nginx ssl proxy for mysql February 09, 2024 02:23AM |
Registered: 2 years ago Posts: 6 |
|
Re: nginx ssl proxy for mysql February 09, 2024 05:14AM |
Admin Registered: 11 years ago Posts: 1,297 |
BMX Wrote:
-------------------------------------------------------
> OK, but this does not work. It seems that start of MySQL SSL handshake
> is not standard and cannot be replaced by nginx SSL session.
From the client side you access 127.0.0.1:3306 which is captured by something like stunnel, stunnel connects to your SSL terminating nginx (port forwarding mysql traffic), nxing passes on to the backend to port 3306 where mysql is.
From mysql's point of view it won't see any ssl.
---
nginx for Windows http://nginx-win.ecsds.eu/
-------------------------------------------------------
> OK, but this does not work. It seems that start of MySQL SSL handshake
> is not standard and cannot be replaced by nginx SSL session.
From the client side you access 127.0.0.1:3306 which is captured by something like stunnel, stunnel connects to your SSL terminating nginx (port forwarding mysql traffic), nxing passes on to the backend to port 3306 where mysql is.
From mysql's point of view it won't see any ssl.
---
nginx for Windows http://nginx-win.ecsds.eu/
|
Re: nginx ssl proxy for mysql February 10, 2024 05:29AM |
Registered: 2 years ago Posts: 6 |
itpp2012 Wrote:
-------------------------------------------------------
> BMX Wrote:
> -------------------------------------------------------
> > OK, but this does not work. It seems that start of MySQL SSL
> handshake
> > is not standard and cannot be replaced by nginx SSL session.
>
> From the client side you access 127.0.0.1:3306 which is captured by
> something like stunnel, stunnel connects to your SSL terminating nginx
> (port forwarding mysql traffic), nxing passes on to the backend to
> port 3306 where mysql is.
>
> From mysql's point of view it won't see any ssl.
The initial idea was this: MySQL client initiates SSL connection. Instead of direct connection with MySQL server, it connects to Nginx stream proxy with SSL and then Nginx redirects plain MySQL protocol to MySQL server. This works for other services like MQTT, etc.
About stunnel idea - I know that it is possible, also SSH/autossh tunnel when MySQL client and server do not use SSL and encryption is made by tunnel. Unfortunately this may not work good in case of TCP packet loss.
PS: Not sure about stunnel you mention - why it goes over Nginx/SSL and not directly to remote side (mysql port)?
Edited 1 time(s). Last edit at 02/10/2024 05:34AM by BMX.
-------------------------------------------------------
> BMX Wrote:
> -------------------------------------------------------
> > OK, but this does not work. It seems that start of MySQL SSL
> handshake
> > is not standard and cannot be replaced by nginx SSL session.
>
> From the client side you access 127.0.0.1:3306 which is captured by
> something like stunnel, stunnel connects to your SSL terminating nginx
> (port forwarding mysql traffic), nxing passes on to the backend to
> port 3306 where mysql is.
>
> From mysql's point of view it won't see any ssl.
The initial idea was this: MySQL client initiates SSL connection. Instead of direct connection with MySQL server, it connects to Nginx stream proxy with SSL and then Nginx redirects plain MySQL protocol to MySQL server. This works for other services like MQTT, etc.
About stunnel idea - I know that it is possible, also SSH/autossh tunnel when MySQL client and server do not use SSL and encryption is made by tunnel. Unfortunately this may not work good in case of TCP packet loss.
PS: Not sure about stunnel you mention - why it goes over Nginx/SSL and not directly to remote side (mysql port)?
Edited 1 time(s). Last edit at 02/10/2024 05:34AM by BMX.
|
Re: nginx ssl proxy for mysql February 10, 2024 06:20AM |
Admin Registered: 11 years ago Posts: 1,297 |
BMX Wrote:
-------------------------------------------------------
> The initial idea was this: MySQL client initiates SSL connection.
> Instead of direct connection with MySQL server, it connects to Nginx
> stream proxy with SSL and then Nginx redirects plain MySQL protocol to
> MySQL server. This works for other services like MQTT, etc.
If SSL from MySQL client <> how nginx deals with SSL, (which is 50% of cases) your need some other way (client) to get to nginx as a stream over ssl.
How a close look at the ssl logs on both ends to compile a proper google search.
---
nginx for Windows http://nginx-win.ecsds.eu/
-------------------------------------------------------
> The initial idea was this: MySQL client initiates SSL connection.
> Instead of direct connection with MySQL server, it connects to Nginx
> stream proxy with SSL and then Nginx redirects plain MySQL protocol to
> MySQL server. This works for other services like MQTT, etc.
If SSL from MySQL client <> how nginx deals with SSL, (which is 50% of cases) your need some other way (client) to get to nginx as a stream over ssl.
How a close look at the ssl logs on both ends to compile a proper google search.
---
nginx for Windows http://nginx-win.ecsds.eu/
|
Re: nginx ssl proxy for mysql February 14, 2024 04:29PM |
Registered: 2 years ago Posts: 6 |
Sorry, only registered users may post in this forum.
Online Users
Guests:
277
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|