Proxysql: SSL/TLS From Client to ProxySQL

Created on 25 Jan 2017  路  16Comments  路  Source: sysown/proxysql

I know ProxySQL supports SSL from it to the MySQL backends. I didn't find an issue officially requesting support of SSL from the clients to ProxySQL.

We have a requirement for encryption in transit, which requires SSL for MySQL connections from our app servers to MySQL.

Although we can deploy ProxySQL on the app servers, to minimize this exposure, ideally, I'd like to see ProxySQL as separate layer, with HA eventually, so that we could get better benefit out of the ProxySQL Query Cache.

With full support for SSL over the full data path, would ensure support for HIPAA/HITECH environments.

PROTOCOL enhancement

Most helpful comment

Yes. It is implemented in 2.0-lab.
Wait some announcement soon

All 16 comments

I think this is the first issue explicitly requesting support of SSL from the clients to ProxySQL.
It is in the roadmap, but yet there is no a precise milestone for it.
Thanks

I'd +1 this simply for the ability to offload ssl. mysql should lose a lot connection performance with ssl enabled. Offloading ssl would be beneficial so it can be scaled separately.

There are multiple reasons I'd like to have this ability. In an architecture where clients don't speak ssl, but ssl is needed. I can't really think of a better means to get secure connectivity without some sort of tunneling. And you'd lose all the performance gains of connection reuse and query cache, with tunneling, vs proxysql.

client(non-ssl)->proxysql->scary_network(ssl)->proxysql->mysql(non-ssl)

The above path would be great for updates that need to happen to a master. The master either isn't local, is HA, or needs to maintain what scale it can currently deliver, and should be protected from short lived connections that don't get correctly reused. proxysql is run as a service on both ends. Scaling of ssl connections should be offloaded from mysql imo.

It also provides a single place to have to manage your inevitable vulnerabilities that ssl seems to have as of late ;) Rather than offloading responsibility to the clients and server, or having to deal with ssl updates and vulnerabilities there.

Granted a proper api should really sit in front of your mysql service, however, even those api's can have needs like this at scale. I'm thinking multi AZ and multi region services. It would be cool to have ssl clients enabled.

At the end of the day, clients can not be trusted to maintain good reuse practices on connections to mysql (just like they can't always be trusted to know when to connect to a slave mysql server, should you require that scale). Add some latency and ssl, and the problem gets way worse. A solution to reduce the odds of being impacted by that inevitable situation (especially with multi AZ and region cloud services), would be sweet. Soooo +1 barring anything more important :)

+1

Hi, is there any progress on adding secure client connections? Perhaps even a milestone?

We would love to be able to use proxySQL as our main proxy and SSL to the client would be one of our basic security requirements. How much effort would be required to add this and is there any way it could be prioritized. This would be our main blocker to choosing proxysql over maxscale or scalearc.
Thanks for a great product BTW.

As an extension to this FR, please also make sure you add an option like require_secure_transport.

I'm hoping that you can use TLS in the kernel here. Looks like a great (but very recent) Linux feature.

+1

+1

just checking if there are any plans to implement this anytime soon?

Yes. It is implemented in 2.0-lab.
Wait some announcement soon

We like ProxySQL, but lack of SSL support is a show stopper. Eagerly awaiting your announcement.

when the version 2.0 will be released?
This is actually a cool feature add the SSL/TLS from Client !!!!

Is there an approximate date when you plan to implement TLS/SSL from client to Proxysql?

I thought it was already implementet since it is explained in the wiki:
https://github.com/sysown/proxysql/wiki/SSL-Support#ssl-configuration-for-frontends
But my tests proved me wrong ):

I also haven't found a matching PR.

Many thanks and best regards

@Hermsi1337 , sorry, the doc wasn't correct.
Updated:

Available since 2.0, although disabled by default.   
To enable SSL for frontend connections, you need to enable `mysql-have_ssl=true`

It is disabled by default due to performance reason.

Is there any way we can force this to only do SSL on the client to ProxySQL frontend

Support added in ProxySQL 2.0

Was this page helpful?
0 / 5 - 0 ratings

Related issues

asharpaev picture asharpaev  路  15Comments

lengerad picture lengerad  路  23Comments

ethaniel picture ethaniel  路  18Comments

jeniok picture jeniok  路  20Comments

ghost picture ghost  路  20Comments