Added port forwarding from old server to new server's mysql:
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth-ext -d 83.227.241.4 --dport 3306 -j DNAT --to 172.16.1.21:3306
/sbin/iptables -A FORWARD -p tcp -i eth-ext --dport 3306 -j ACCEPT
Now I need to change the new server's mysql server to bind to all ip addresses. Comment out the line with bind-address in /etc/mysql/my.cnf
Followed instructions here to create SSL certificates for MySQL:
http://dev.mysql.com/doc/refman/5.0/en/secure-create-certs.html
Copy the certificates mentioned in /etc/mysql/my.cnf to /etc/mysql
Uncomment the ssl lines in /etc/mysql/my.cnf
Restart mysql.
Added privileges to require SSL for external MySQL connections. For my user, added:
erl@%
erl@localhost
erl@172.16.%.%
For the first one, in a text mysql session, do something like:
show grants for 'erl';
This will show something like:
+-------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for erl@% |
+-------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'erl'@'%' IDENTIFIED BY PASSWORD '*XXX' WITH GRANT OPTION |
+-------------------------------------------------------------------------------------------------------------------------------------------+
Modify the above and add REQUIRE SSL before WITH GRANT OPTION:
GRANT ALL PRIVILEGES ON * . * TO 'erl'@'%' IDENTIFIED BY PASSWORD '*XXX' REQUIRE SSL WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;
The MySQL ca-cert.pem file must then be copied to the client (!), in order for mysql to allow the connection. The mysql client program must be started like:
mysql --ssl --ssl-ca=ca-cert.pem -h www.lewin.nu -p
Next set is to set up replication, so that Mårten's server's main MySQL database is a slave to Erland's.
No comments:
Post a Comment