The instructions on the Percona website provide the details for installing Percona Server. Note: you can use either HAProxy Community or HAProxy Enterprise with these instructions.
Mysql create user network mask how to#
Now here’s the good part: how to install, configure and use the Proxy protocol with a MySQL database. Using the Proxy Protocol for a More Secure Database With the Proxy protocol, you can maintain better privilege segregation between databases even if an attacker manages to get the password for a MySQL user dedicated to another client.
The second security issue you may face from seeing the incorrect IP address is that MySQL grants can no longer allow just one client to use a given username if it is allowed to access MySQL through the HAProxy server via its firewall/ACL’s, as to MySQL all IP’s look the same. You could review the HAProxy logs for activity that occurred around the indicated time to identify the host, but this approach is usually impractical due to the delay between the timestamps of the HAProxy and MySQL logs. The above example shows that a host on or behind the HAProxy server at 192.168.122.64 has issued a query that is suspicious or has performance issues, but we can’t identify the host. Consider the following entry from a slow query log: # Time: T21:56:07.640875Z Source IPs with the proxy protocol The Database Security ProblemĪn HAProxy server running without the Proxy protocol can create a couple security problems when you grant users access to the MySQL servers behind it.įirst, Slow query logs and “show full processlist” commands on a MySQL server behind an HAProxy server that isn’t running the Proxy protocol won’t show the correct IP addresses of the clients, making it more difficult to identify hosts which are sending unoptimized, incorrect or queries injected via SQLi.
0 kommentar(er)
