Proxysql: How to set whitelist through proxysql?

Created on 12 Jun 2019  路  2Comments  路  Source: sysown/proxysql

Hello dear!
Now I have a concern . When I use proxysql to access mysql, no matter where I am, as long as I can access proxysql, I can log in to mysql via proxysql.I think this is risky.
How can I configure it to allow only one or some trusted IP addresses to access proxysql like mysql?

Most helpful comment

Why block IP from application side when you can do it via Firewall?
If you want to create whitelist of IPs that can access to specific port, you can configure firewall:
Let's say create firewalld service with port of ProxySQL and "ipset" of whitelist that including all IPs.

Example for service:

[root@foo ~]# cat /etc/firewalld/services/proxysql.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>proxysql</short>
  <description>ProxySQL</description>
  <port protocol="tcp" port="6033"/>
</service>

[root@foo ~]# cat /etc/firewalld/zones/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <interface name="bond0"/>
  <service name="ssh"/>
  <rule family="ipv4">
    <source ipset="proxysql_whitelist"/>
    <service name="proxysql"/>
    <accept/>
  </rule>
</zone>

[root@foo ~]# cat /etc/firewalld/ipsets/proxysql_whitelist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
  <entry>10.9.8.7</entry>
</ipset>

All 2 comments

Why block IP from application side when you can do it via Firewall?
If you want to create whitelist of IPs that can access to specific port, you can configure firewall:
Let's say create firewalld service with port of ProxySQL and "ipset" of whitelist that including all IPs.

Example for service:

[root@foo ~]# cat /etc/firewalld/services/proxysql.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>proxysql</short>
  <description>ProxySQL</description>
  <port protocol="tcp" port="6033"/>
</service>

[root@foo ~]# cat /etc/firewalld/zones/internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <interface name="bond0"/>
  <service name="ssh"/>
  <rule family="ipv4">
    <source ipset="proxysql_whitelist"/>
    <service name="proxysql"/>
    <accept/>
  </rule>
</zone>

[root@foo ~]# cat /etc/firewalld/ipsets/proxysql_whitelist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
  <entry>10.9.8.7</entry>
</ipset>

OK. Thanks for your answer.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

beebol picture beebol  路  3Comments

eightnoteight picture eightnoteight  路  4Comments

renecannao picture renecannao  路  4Comments

renecannao picture renecannao  路  3Comments

calind picture calind  路  3Comments