我正在尝试保护我的 MariaDB Galera 服务器。它们已设置并配置为使用 SSL。
wsrep_on = ON
wsrep_provider = /usr/lib/galera/libgalera_smm.so
wsrep_cluster_name = "db-cluster"
wsrep_cluster_address = gcomm://192.168.0.11,192.168.0.12,192.168.0.13
binlog_format = row
default_storage_engine = InnoDB
innodb_autoinc_lock_mode = 2
innodb_doublewrite = 1
wsrep_sst_method = rsync
wsrep_replicate_myisam = ON
wsrep_node_address = "192.168.0.11"
wsrep_node_name = "db1"
wsrep_provider_options = "socket.ssl_cert=/etc/mysql/ssl/db.crt;socket.ssl_key=/etc/mysql/ssl/db.key;socket.ssl_ca=/etc/mysql/ssl/ca.crt"
# Allow server to accept connections on all interfaces.
bind-address = 0.0.0.0
# Optional settings
#wsrep_slave_threads = 1
#innodb_flush_log_at_trx_commit = 0
[sst]
ssl-ca = /etc/mysql/ssl/ca.crt
ssl-cert = /etc/mysql/ssl/db.crt
ssl-key = /etc/mysql/ssl/db.key
encrypt=4
我一直在测试一些防火墙规则 - 当前测试仅在 DB1 上进行 - DB2 和 DB3 仍然接受所有连接。
我配置了以下 iptables 规则:
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [629:249784]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# MariaDB Galera Traffic db1 -> db2
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 4567:4568 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p udp -m udp --dport 4567 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.12 -p tcp -m tcp --dport 9999 -j ACCEPT
# MariaDB Galera Traffic db1 -> db3
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 4567:4568 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p udp -m udp --dport 4567 -j ACCEPT
-A INPUT -s 192.168.0.11 -d 192.168.0.13 -p tcp -m tcp --dport 9999 -j ACCEPT
# Load Balancer Traffic
-A INPUT -s 192.168.0.10 -d 192.168.0.11 -p tcp -m tcp --dport 3306 -j ACCEPT
#Accept Local Traffic
-A INPUT -d 192.168.0.11 -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -j ACCEPT
COMMIT
当我将这些放到位并尝试启动该节点时,它会失败并出现以下情况:
[Note] WSREP: Prepared SST request: rsync|192.168.0.11:4444/rsync_sst
[Note] WSREP: IST receiver addr using ssl://192.168.0.11:4568
[Note] WSREP: IST receiver using ssl
[Note] WSREP: Prepared IST receiver for 70-71, listening at: ssl://192.168.0.11:4568
[Note] WSREP: Member 0.0 (mosaic-db1) requested state transfer from '*any*'. Selected 1.0 (mosaic-db3)(SYNCED) as donor.
[Note] WSREP: Shifting PRIMARY -> JOINER (TO: 71)
[Note] WSREP: Requesting state transfer: success, donor: 1
[Note] WSREP: (81d43164-853c, 'ssl://0.0.0.0:4567') turning message relay requesting off
[Warning] WSREP: 1.0 (db3): State transfer to 0.0 (db1) failed: -110 (Connection timed out)
[ERROR] WSREP: /home/buildbot/buildbot/build/gcs/src/gcs_group.cpp:gcs_group_handle_join_msg():1170: Will never receive state. Need to abort.
[Note] WSREP: gcomm: terminating thread
[Note] WSREP: gcomm: joining thread
[Note] WSREP: gcomm: closing backend
关于我遗漏了什么,有什么建议吗?