Proxysql: User auth per source IP

Created on 28 Aug 2017  路  5Comments  路  Source: sysown/proxysql

Today we have dedicated servers per app/artifact and each artifact has access only their own db cluster limited by amazon security group or msyql user auth.

We began to use shared proxysql servers per dc .
How can I create authorization rules to allow access to specific clusters based on source IPs .

Most helpful comment

+1 being able to restrict by hostpattern during authentication would be a nice addition to proxysql's "firewall" capabilities.

All 5 comments

In mysql_query_rules you can direct specific applications to mysql server host groups by client IP address (client_addr). See https://github.com/sysown/proxysql/wiki/MySQL-Query-Rules
This isn't authorization exactly, but rather just routing queries where you want them to go.

I thought already of this solution but That means that each select/command will need to pass this evaluation. I was asking of some authorisation made during the authentication phase.
For now each user that has the username and password can connect to that specific host group.

I guess there is not better solution.

@renecannao any idea ?

Currently the only possible option is what suggested from @paulcaskey . This opinion is meant mostly for routing, but of course can also be used to allow or deny traffic.
Due the fact that rules can be concatenated, this option doesn't create a lot of overhead.
The only drawback is that filtering happens while handling traffic, not during authentication.
Filtering during authentication is yet not available

+1 being able to restrict by hostpattern during authentication would be a nice addition to proxysql's "firewall" capabilities.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

renecannao picture renecannao  路  20Comments

andreygolev picture andreygolev  路  20Comments

jkklee picture jkklee  路  29Comments

vlanse picture vlanse  路  31Comments

lazzyfu picture lazzyfu  路  19Comments