Configuring SSL encryption on Galera Cluster
To secure at all communications between nodes in a Galera Cluster, as well as client and servers running MySQL inside the cluster, you need to enable three degrees of security:
- Firewall
- SELinux
- Encryption
For the configuration of Firewall and SELinux for access control on the TCP and UDP ports, used for MySQL connections and for Galera Cluster replication, you can read the post Galera Cluster for MySQL, where you can find a paragraph with all the details.
Here we will focus on the configurations necessary to encrypt the communication between client and MySQL server, and between the nodes of the Cluster itself.
SSL configuration
Both MySQL and Galera Cluster support SSL for communication encryption, and it must be set on every node of the cluster. To activate SSL you need to generate the certificates, see Galera Cluster SSL Certificates specific page for the Galera Cluster scenario, or in general you can find all the information you need around the web.
SSL encryption must be enabled at three levels: traffic between client and database server, replication traffic between nodes, and SST traffic (full copy to a new node).
MySQL database
In the file /etc/my.cnf you need to add these ssl parameters:
[mysqld]
ssl_ca=/path/to/ca-cert.pem
ssl_key=/path/to/server-key.pem
ssl_cert=/path/to/server-cert.pem
require_secure_transport=ON
- ssl_ca is certificate authority file
- ssl_key is the private key
- ssl_cert is the certiticate file
- require_secure_transport needed to configure SSL as required
Once certificates and private keys are configured, insecure communication is not disabled by default. To force only use of SSL you need to add the require_secure_transport=ON option.
Galera Cluster replication
In order to enable SSL on the internal node processes, you need to add the specific SSL options to the parameter wsrep_provider_options:
wsrep_provider_options="socket.ssl_key=/path/to/server-key.pem; socket.ssl_cert=/path/to/server-cert.pem; socket.ssl_ca=/path/to/cacert.pem"
- socket.ssl_key is the private key
- socket.ssl_cert is the certiticate file
- socket.ssl_ca is certificate authority file
In addition you can add the socket.ssl_cipher option to change the SSL chiper used by default, it is possible to configure all the chipers available on the version of the SSL library installed on the server.
Galera Cluster SST - State Snapshot Transfers
SST or State Snapshot Transfers refers to a full data copy from one cluster node to a new joining node. How this happens depends on the method configured for that operation. In my case I chose rsync, configured in the wsrep_sst_method parameter. Galera Cluster supports SSL for the rsync method starting from version 8.0.25.
...
wsrep_sst_method=rsync
...
In this case, if the SSL parameters (private key, certificate and CA) are already present in the [mysqld] section of the /etc/my.cnf configuration file, those will be automatically used for SSL encryption of SST unless explicitly overridden with the same parameters in [sst] section.