Hello dear!
Now I have a concern . When I use proxysql to access mysql, no matter where I am, as long as I can access proxysql, I can log in to mysql via proxysql.I think this is risky.
How can I configure it to allow only one or some trusted IP addresses to access proxysql like mysql?
Why block IP from application side when you can do it via Firewall?
If you want to create whitelist of IPs that can access to specific port, you can configure firewall:
Let's say create firewalld service with port of ProxySQL and "ipset" of whitelist that including all IPs.
Example for service:
[root@foo ~]# cat /etc/firewalld/services/proxysql.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>proxysql</short>
<description>ProxySQL</description>
<port protocol="tcp" port="6033"/>
</service>
[root@foo ~]# cat /etc/firewalld/zones/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<interface name="bond0"/>
<service name="ssh"/>
<rule family="ipv4">
<source ipset="proxysql_whitelist"/>
<service name="proxysql"/>
<accept/>
</rule>
</zone>
[root@foo ~]# cat /etc/firewalld/ipsets/proxysql_whitelist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<entry>10.9.8.7</entry>
</ipset>
OK. Thanks for your answer.
Most helpful comment
Why block IP from application side when you can do it via Firewall?
If you want to create whitelist of IPs that can access to specific port, you can configure firewall:
Let's say create firewalld service with port of ProxySQL and "ipset" of whitelist that including all IPs.
Example for service: