SSL configuration for backends

ProxySQL supports SSL connections to the backends since version v1.2.0e . Attempts to configure an older version will fail.

IMPORTANT NOTES:

  • SSL is supported only for backends in v1.x. Clients cannot use SSL to connect to ProxySQL in versions prior to v2.x
  • As of v1.4.5, because ProxySQL uses mariadb-connector-c-2.3.1 only SSL/TLSv1.0 is supported: https://mariadb.com/kb/en/library/mariadb-connector-c-300-release-notes/.
  • In ProxySQL v2.x the mariadb-connector-3.0.2 supports SSL/TLSv1.0,TLSv1.1 and TLSv1.2. This applies to frontend and backend connections

To enable SSL connections you need to:

  • update mysql_servers.use_ssl for the server you want to use SSL;
  • update associated global variables (only required in ProxySQL v1.x releases, not required for ProxySQL v2.x)

If you want to connect to the same server with both SSL and non-SSL you need to configure the same server in two different hostgroups, and define access rules.
For example, to configure SSL on one server:

At this stage, in ProxySQL v1.x, trying to connect to host 127.0.0.1 and port 21891 will not use SSL because no key and no certificate are configured. Instead, normal non-SSL connections will be established. In ProxySQL v2.x, if use_ssl=1 then all new connections will use SSL (by means of MySQL’s builtin key/certs).

The next step to use SSL connections in ProxySQL 1.x is to configure key and certificate (this can also be applied to ProxySQL v2.x in case you would like to use a specific key and certificate).

At this point, all new connections to host 127.0.0.1 and port 21891 will use SSL.

If you are happy with the new changes, you can make them persistent by saving the configuration on disk:

To verify that SSL is working as expected between ProxySQL and MySQL, and to check the SSL CIPHER, connect to ProxySQL and run SHOW SESSION STATUS LIKE "Ssl_cipher", for example:

Happy SSLing!

SSL configuration for frontends

Available since 2.0, although disabled by default.

To enable SSL for frontend connections, you need to enable mysql-have_ssl=true. Once this variable has been enabled ProxySQL will generate the following files automatically in the datadir (/var/lib/proxysql):

NOTE: These files can be replaced with your own if you would like to use a predefined configuration. Also be aware that only new connections will use SSL after the mysql-have_ssl=true variable is updated and LOAD MYSQL VARIABLES TO RUNTIME is executed.

To verify SSL is working and to check the SSL CIPHER between your MySQL client and ProxySQL connect to ProxySQL and run s, for example:

The supported protocols are:

SSLv2 and SSLv3 were removed in version 2.0.6 .

The supported ciphers are: