SSL configuration for backends

ProxySQL supports SSL connections to the backends since version v1.2.0e . Attempts to configure an older version will fail.

IMPORTANT NOTES:

  • SSL is supported only for backends in v1.x. Clients cannot use SSL to connect to ProxySQL in versions prior to v2.x
  • As of v1.4.5, because ProxySQL uses mariadb-connector-c-2.3.1 only SSL/TLSv1.0 is supported: https://mariadb.com/kb/en/library/mariadb-connector-c-300-release-notes/.
  • In ProxySQL v2.x the mariadb-connector-3.0.2 supports SSL/TLSv1.0,TLSv1.1 and TLSv1.2. This applies to frontend and backend connections

To enable SSL connections you need to:

  • update mysql_servers.use_ssl for the server you want to use SSL;
  • update associated global variables (only required in ProxySQL v1.x releases, not required for ProxySQL v2.x)

If you want to connect to the same server with both SSL and non-SSL you need to configure the same server in two different hostgroups, and define access rules.
For example, to configure SSL on one server:

mysql> SELECT * FROM mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| hostgroup_id | hostname  | port  | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| 1            | 127.0.0.1 | 21891 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
| 2            | 127.0.0.1 | 21892 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
| 2            | 127.0.0.1 | 21893 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
3 rows in set (0.00 sec)

mysql> UPDATE mysql_servers SET use_ssl=1 WHERE port=21891;
Query OK, 1 row affected (0.00 sec)

mysql> SELECT * FROM mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| hostgroup_id | hostname  | port  | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| 1            | 127.0.0.1 | 21891 | ONLINE | 1      | 0           | 1000            | 0                   | 1       | 0              |
| 2            | 127.0.0.1 | 21892 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
| 2            | 127.0.0.1 | 21893 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
3 rows in set (0.00 sec)

mysql> LOAD MYSQL SERVERS TO RUNTIME;
Query OK, 0 rows affected (0.00 sec)

mysql> SELECT * FROM runtime_mysql_servers;
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| hostgroup_id | hostname  | port  | status | weight | compression | max_connections | max_replication_lag | use_ssl | max_latency_ms |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
| 1            | 127.0.0.1 | 21891 | ONLINE | 1      | 0           | 1000            | 0                   | 1       | 0              |
| 2            | 127.0.0.1 | 21892 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
| 2            | 127.0.0.1 | 21893 | ONLINE | 1      | 0           | 1000            | 0                   | 0       | 0              |
+--------------+-----------+-------+--------+--------+-------------+-----------------+---------------------+---------+----------------+
3 rows in set (0.00 sec)

At this stage, in ProxySQL v1.x, trying to connect to host 127.0.0.1 and port 21891 will not use SSL because no key and no certificate are configured. Instead, normal non-SSL connections will be established. In ProxySQL v2.x, if use_ssl=1 then all new connections will use SSL (by means of MySQL’s builtin key/certs).

The next step to use SSL connections in ProxySQL 1.x is to configure key and certificate (this can also be applied to ProxySQL v2.x in case you would like to use a specific key and certificate).

mysql> SELECT * FROM global_variables WHERE variable_name LIKE 'mysql%ssl%';
+--------------------+----------------+
| variable_name      | variable_value |
+--------------------+----------------+
| mysql-ssl_p2s_ca   | (null)         |
| mysql-ssl_p2s_cert | (null)         |
| mysql-ssl_p2s_key  | (null)         |
+--------------------+----------------+
3 rows in set (0.00 sec)

mysql> SET mysql-ssl_p2s_cert="/home/vagrant/newcerts/client-cert.pem";
Query OK, 1 row affected (0.00 sec)

mysql> SET mysql-ssl_p2s_key="/home/vagrant/newcerts/client-key.pem";
Query OK, 1 row affected (0.00 sec)

mysql> SELECT * FROM global_variables WHERE variable_name LIKE 'mysql%ssl%';
+--------------------+----------------------------------------+
| variable_name      | variable_value                         |
+--------------------+----------------------------------------+
| mysql-ssl_p2s_ca   | (null)                                 |
| mysql-ssl_p2s_cert | /home/vagrant/newcerts/client-cert.pem |
| mysql-ssl_p2s_key  | /home/vagrant/newcerts/client-key.pem  |
+--------------------+----------------------------------------+
3 rows in set (0.01 sec)

mysql> LOAD MYSQL VARIABLES TO RUNTIME;
Query OK, 0 rows affected (0.00 sec)

At this point, all new connections to host 127.0.0.1 and port 21891 will use SSL.

If you are happy with the new changes, you can make them persistent by saving the configuration on disk:

mysql> SAVE MYSQL SERVERS TO DISK;
Query OK, 0 rows affected (0.01 sec)

mysql> SAVE MYSQL VARIABLES TO DISK;
Query OK, 58 rows affected (0.00 sec)

To verify that SSL is working as expected between ProxySQL and MySQL, and to check the SSL CIPHER, connect to ProxySQL and run SHOW SESSION STATUS LIKE "Ssl_cipher", for example:

mysql -h127.0.0.1 -P6033 -uroot -psecret -e 'SHOW SESSION STATUS LIKE "Ssl_cipher"'
+---------------+----------------------+
| Variable_name | Value                |
+---------------+----------------------+
| Ssl_cipher    | ECDHE-RSA-AES256-SHA |
+---------------+----------------------+

Happy SSLing!

SSL configuration for frontends

Available since 2.0, although disabled by default.

To enable SSL for frontend connections, you need to enable mysql-have_ssl=true. Once this variable has been enabled ProxySQL will generate the following files automatically in the datadir (/var/lib/proxysql):

proxysql-ca.pem
proxysql-cert.pem
proxysql-key.pem

NOTE: These files can be replaced with your own if you would like to use a predefined configuration. Also be aware that only new connections will use SSL after the mysql-have_ssl=true variable is updated and LOAD MYSQL VARIABLES TO RUNTIME is executed.

To verify SSL is working and to check the SSL CIPHER between your MySQL client and ProxySQL connect to ProxySQL and run s, for example:

mysql -h127.0.0.1 -P6033 -uroot -psecret -e's' | grep -P 'SSL|Connection'
SSL: Cipher in use is DHE-RSA-AES256-SHA
Connection: 127.0.0.1 via TCP/IP

The supported protocols are:

TLSv1
TLSv1.1
TLSv1.2

SSLv2 and SSLv3 were removed in version 2.0.6 .

The supported ciphers are:

DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
DHE-RSA-CAMELLIA256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
CAMELLIA256-SHA
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-SEED-SHA
DHE-RSA-CAMELLIA128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
SEED-SHA
CAMELLIA128-SHA
DES-CBC3-SHA