服務端
- 查看當前目錄 openssl version -d
- 生成簽名的key
openssl req -new -text -out server.req -subj '/C=CN/ST=Zhejiang/L=Hangzhou/O=dbpaas/CN=dbpaas-ip-port' -passout pass:'xxx'
-passourt 意思是對輸出文件的加密密碼
- 刪除passphrase
openssl rsa -in privkey.pem -out server.key -passin pass:'xxx'
-passin 這裏是設置輸入文件需要的密碼
rm -f privkey.pem
- turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them
openssl req -x509 -in server.req -text -key server.key -out server.crt
- 修改權限
chmod 600 server.key
- 拷貝
mv -f server.crt server.key $PGDATA
- 修改參數
ssl = on
ssl_cert_file = 'server.crt' # (change requires restart)
ssl_key_file = 'server.key'
下面的不用改,pg默認
ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
ssl_renegotiation_limit = 512MB # amount of data between renegotiations
- 重啓數據庫
pg_ctl restart -m fast
會有 SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
- 用ssl插件 sslinfo 查看ssl相關信息
create extension sslinfo;
CREATE EXTENSION
digoal=# select ssl_is_used();
ssl_is_used
-------------
t
(1 row)
digoal=# select ssl_cipher();
ssl_cipher
--------------------
DHE-RSA-AES256-SHA
(1 row)
digoal=# select ssl_version();
ssl_version
-------------
TLSv1
(1 row)
- 可以設置pg_hba.conf強制使用ssl連接數據庫
- 把以前的host改爲hostssl這就是強制客戶端使用ssl連接 eg: hostssl all all 0.0.0.0/0 md5
- 使用host的話優先使用ssl認證
- hostnossl 強制不使用ssl
客戶端
- 客戶端也要有openssl包,然後客戶端可以設置強制使用還是不使用ssl
psql "sslmode=require" -h 172.16.3.33 -p 1999 -U postgres -d pg
psql "sslmode=disable" -h 172.16.3.33 -p 1999 -U postgres -d pg
注意
- 只在主庫上創建就好了,只要用到basebackup的都會拷貝相關的這兩個文件
參考: https://github.com/digoal/blog/blob/master/201305/20130522_01.md https://www.jianshu.com/p/15b1d935a44b