如何使用 Play Framework 通过 SSL 连接到远程 MySQL 数据库? [英] How to connect to a remote MySQL database via SSL using Play Framework?
问题描述
我在分布式环境中部署 Play 应用程序,由远程 MySQL 数据库提供支持.具体来说,应用程序托管在 heroku 上,数据库在 Amazon RDS 上(尽管这确实适用于任何远程数据库连接).由于数据库不仅仅在本地主机上,为了安全起见,我更喜欢通过 SSL 建立远程 MySQL 连接.
I deploy Play applications in distributed environments, backed by a remote MySQL database. Specifically, the applications are hosted on heroku, and the database is on Amazon RDS (though this really applies to any remote database connection). Since the database isn't just on localhost, I'd prefer that the remote MySQL connection is made through SSL for security.
给定要信任的 CA 证书,我如何配置 Play 应用程序以通过 SSL 连接到 MySQL 服务器,前提是可以验证主机证书?
Given a CA certificate to trust, how can I configure a Play application to connect to the MySQL server through SSL, only if the host certificate can be verified?
假设这是当前的数据库配置:
Assume this as the current database configuration:
db.default.driver=com.mysql.jdbc.Driver
db.default.url="jdbc:mysql://url.to.database/test_db"
db.default.user=root
db.default.password="...."
推荐答案
假设您已经为 MySQL 服务器设置了 CA 证书(使用 Amazon RDS 时就是这种情况),有几个步骤可以完成此操作.
Assuming you already have the CA certificate setup for the MySQL server (which is the case when using Amazon RDS), there are a few steps to make this work.
首先,应使用 keytool,它随 JDK 一起提供.在这种情况下,KeyStore 将包含我们想要信任的所有 CA 证书.对于 Amazon RDS,可以在此处找到 CA 证书.使用工作目录中的 mysql-ssl-ca-cert.pem,您可以运行以下命令:
First, the CA certificate should be imported into a Java KeyStore file using keytool, which comes with the JDK. The KeyStore in this case will contain all of the CA certificates we want to trust. For Amazon RDS, the CA cert can be found here. With mysql-ssl-ca-cert.pem in your working directory, you can run the following command:
keytool -import -alias mysqlServerCACert -file mysql-ssl-ca-cert.pem -keystore truststore.jks
在提示您输入密钥库密码并询问您是否要信任证书(是的,您信任)后,它将创建一个名为 truststore.jks 的新 Java 密钥库文件.如果您已有信任库文件,则可以运行相同的命令,将 truststore.jks 替换为现有密钥库的路径(然后会提示您输入现有密钥库的密码).我通常将 truststore.jks 放在我的 conf 目录中.
Which will create a new Java KeyStore file called truststore.jks after prompting you to enter a KeyStore password and asking if you want to trust the certificate (yes, you do). If you already have a truststore file, you can run the same command, replacing truststore.jks with the path to your existing KeyStore (you'll then be prompted for the password of the existing KeyStore, instead). I usually place truststore.jks in my conf directory.
其次,在application.conf中需要在数据库URL中添加几个JDBC URL参数:
Second, in application.conf you need to add a few JDBC URL parameters to the database URL:
verifyServerCertificate=true - 如果无法验证主机证书,则拒绝连接.
verifyServerCertificate=true - Refuse to connect if the host certificate cannot be verified.
useSSL=true - 使用 SSL 连接.
useSSL=true - Connect using SSL.
requireSSL=true - 如果 MySQL 服务器不支持 SSL,则拒绝连接.
requireSSL=true - Refuse to connect if the MySQL server does not support SSL.
例如,如果您当前的数据库 URL 是:
For example, if your current database URL is:
db.default.url="jdbc:mysql://url.to.database/test_db"
那么现在应该是:
db.default.url="jdbc:mysql://url.to.database/test_db?verifyServerCertificate=true&useSSL=true&requireSSL=true"
最后,在启动 Play 服务器以配置 MySQL-Connector/J 将使用的信任库时,需要传递一些命令行选项.假设我的 truststore.jks 文件位于 conf 目录中,密码是 password,我将启动我的服务器(在开发模式下)像这样:
Lastly, there are a few command-line options that need to be passed when starting the Play server to configure the truststore MySQL-Connector/J will use. Assuming my truststore.jks file is located in the conf directory, and the password is password, I would start my server (in dev mode) like this:
activator run -Djavax.net.ssl.trustStore="conf/truststore.jks" -Djavax.net.ssl.trustStorePassword="password"
<小时>
除此之外,我还想确保在不使用 SSL 的情况下无法连接到数据库,以防万一选项在应用程序级别以某种方式混乱.例如,如果 db.default.user=root,则在 MySQL 服务器中以 root 身份登录时,运行以下查询:
In addition to this, I also like to make sure that it's impossible to connect to the database without using SSL, just in case the options somehow get messed up at the application level. For example if db.default.user=root, then when logged in as root in the MySQL server, run the following queries:
GRANT USAGE ON *.* TO 'root'@'%' REQUIRE SSL;
FLUSH PRIVILEGES;
这篇关于如何使用 Play Framework 通过 SSL 连接到远程 MySQL 数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
