如何使用Play Framework通过SSL连接到远程MySQL数据库? [英] How to connect to a remote MySQL database via SSL using Play Framework?
问题描述
我在分布式环境中部署Play应用程序,由远程MySQL数据库支持。具体来说,应用程序托管在heroku上,数据库位于Amazon RDS上(尽管这实际上适用于任何远程数据库连接)。由于数据库不仅仅是在localhost上,我更喜欢远程MySQL连接是通过SSL进行安全的。
I deploy Play applications in distributed environments, backed by a remote MySQL database. Specifically, the applications are hosted on heroku, and the database is on Amazon RDS (though this really applies to any remote database connection). Since the database isn't just on localhost, I'd prefer that the remote MySQL connection is made through SSL for security.
鉴于要信任的CA证书,如果可以验证主机证书,我如何配置Play应用程序通过SSL连接到MySQL服务器?
Given a CA certificate to trust, how can I configure a Play application to connect to the MySQL server through SSL, only if the host certificate can be verified?
假设这是当前的数据库配置:
Assume this as the current database configuration:
db.default.driver=com.mysql.jdbc.Driver
db.default.url="jdbc:mysql://url.to.database/test_db"
db.default.user=root
db.default.password="...."
推荐答案
假设您已经拥有MySQL服务器的CA证书设置(使用Amazon RDS时就是这种情况),有几个步骤可以使其工作。
Assuming you already have the CA certificate setup for the MySQL server (which is the case when using Amazon RDS), there are a few steps to make this work.
首先,应使用将CA证书导入Java KeyStore文件JDK附带的keytool 。在这种情况下,KeyStore将包含我们想要信任的所有CA证书。对于Amazon RDS,可以在此处找到CA证书。在工作目录中使用 mysql -ssl-ca-cert.pem ,可以运行以下命令:
First, the CA certificate should be imported into a Java KeyStore file using keytool, which comes with the JDK. The KeyStore in this case will contain all of the CA certificates we want to trust. For Amazon RDS, the CA cert can be found here. With mysql-ssl-ca-cert.pem in your working directory, you can run the following command:
keytool -import -alias mysqlServerCACert -file mysql-ssl-ca-cert.pem -keystore truststore.jks
在提示您输入KeyStore密码并询问您是否要信任之后,将创建名为 truststore.jks 的新Java KeyStore文件证书(是的,你这样做)。如果您已有信任库文件,则可以运行相同的命令,将 truststore.jks 替换为现有KeyStore的路径(然后会提示您输入密码相反,现有的KeyStore)。我通常在 conf 目录中放置 truststore.jks 。
Which will create a new Java KeyStore file called truststore.jks after prompting you to enter a KeyStore password and asking if you want to trust the certificate (yes, you do). If you already have a truststore file, you can run the same command, replacing truststore.jks with the path to your existing KeyStore (you'll then be prompted for the password of the existing KeyStore, instead). I usually place truststore.jks in my conf directory.
其次,在 application.conf 中,您需要向数据库URL添加一些JDBC URL参数:
Second, in application.conf you need to add a few JDBC URL parameters to the database URL:
verifyServerCertificate = true - 如果无法验证主机证书,则拒绝连接。
verifyServerCertificate=true - Refuse to connect if the host certificate cannot be verified.
useSSL = true - 使用SSL连接。
useSSL=true - Connect using SSL.
requireSSL = true - 拒绝连接if MySQL服务器不支持SSL。
requireSSL=true - Refuse to connect if the MySQL server does not support SSL.
例如,如果您当前的数据库URL是:
For example, if your current database URL is:
db.default.url="jdbc:mysql://url.to.database/test_db"
那么它现在应该是:
db.default.url="jdbc:mysql://url.to.database/test_db?verifyServerCertificate=true&useSSL=true&requireSSL=true"
最后,启动Play服务器以配置信任时,需要传递一些命令行选项存储MySQL-Connector / J将使用。假设我的 truststore.jks 文件位于 conf 目录中,密码为密码,我会像这样启动我的服务器(在开发模式下):
Lastly, there are a few command-line options that need to be passed when starting the Play server to configure the truststore MySQL-Connector/J will use. Assuming my truststore.jks file is located in the conf directory, and the password is password, I would start my server (in dev mode) like this:
activator run -Djavax.net.ssl.trustStore="conf/truststore.jks" -Djavax.net.ssl.trustStorePassword="password"
除此之外,我还想确保在不使用SSL的情况下连接到数据库是不可能的,以防万一选项在应用程序中搞砸了水平。例如,如果 db.default.user = root ,那么当在MySQL服务器中以 root 身份登录时,运行以下查询:
In addition to this, I also like to make sure that it's impossible to connect to the database without using SSL, just in case the options somehow get messed up at the application level. For example if db.default.user=root, then when logged in as root in the MySQL server, run the following queries:
GRANT USAGE ON *.* TO 'root'@'%' REQUIRE SSL;
FLUSH PRIVILEGES;
这篇关于如何使用Play Framework通过SSL连接到远程MySQL数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
