NGINX configuration with two backends (without load balancing) and NGINX - MYSQL TLS encryption

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

NGINX configuration with two backends (without load balancing) and NGINX - MYSQL TLS encryption

kev jr
Hi all,

Question 1
Is it possible to have NGINX reverse proxy to multiple MySQL servers listening on the same port using different names like you can with http? We don't want to perform any load balancing operation on them, we just want to be able to redirect to MySQL instances based on a logical name, same as on http.

Question 2
When I try to implement TLS encryption between NGINX and MYSQL Database server, I have the following error on my MySQL Client : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error

I have the following configuration : Ubuntu server with the MySQL Client // NGINX (with the configuration below) // MYSQL Database (with SSL activated)
stream {
    upstream mysql1 {​
        server 172.31.39.168:3306;​
​   }​
    server {​
        listen     3306;​
        proxy_pass mysql1;​
        proxy_ssl  on;​
         proxy_ssl_certificate         /etc/ssl/client-cert.pem;​
         proxy_ssl_certificate_key     /etc/ssl/client-key.pem;​
         #proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;​
         #proxy_ssl_ciphers             HIGH:!aNULL:!MD5;​
        proxy_ssl_trusted_certificate /etc/ssl/ca-cert.pem;​
       proxy_ssl_verify        on;​
       proxy_ssl_verify_depth  2;​
       proxy_ssl_session_reuse on;​
    }​
}​

If I comment proxy_ssl* parameters on NGINX, the connection works between "Ubuntu server (with the MySQL Client)" and "MYSQL Database (with SSL activated)" throught "NGINX".

Thanks all



_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX configuration with two backends (without load balancing) and NGINX - MYSQL TLS encryption

Roger Pack
Since mysql connections don't have HTTP headers to "lookup the correct
backend server group" based on, I doubt it can do #1 FWIW...I actually
know little about nginx though.
Maybe if you have it listen on various different ports (or different
IP addresses coming in?)

For #2 maybe need "listen..ssl"?
https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-tcp/
but I have no expertise, good luck!

On Wed, Nov 20, 2019 at 7:11 AM kev jr <[hidden email]> wrote:

>
> Hi all,
>
> Question 1
> Is it possible to have NGINX reverse proxy to multiple MySQL servers listening on the same port using different names like you can with http? We don't want to perform any load balancing operation on them, we just want to be able to redirect to MySQL instances based on a logical name, same as on http.
>
> Question 2
> When I try to implement TLS encryption between NGINX and MYSQL Database server, I have the following error on my MySQL Client : ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error
>
> I have the following configuration : Ubuntu server with the MySQL Client // NGINX (with the configuration below) // MYSQL Database (with SSL activated)
> stream {
>     upstream mysql1 {
>         server 172.31.39.168:3306;
>   }
>     server {
>         listen     3306;
>         proxy_pass mysql1;
>         proxy_ssl  on;
>          proxy_ssl_certificate         /etc/ssl/client-cert.pem;
>          proxy_ssl_certificate_key     /etc/ssl/client-key.pem;
>          #proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
>          #proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
>         proxy_ssl_trusted_certificate /etc/ssl/ca-cert.pem;
>        proxy_ssl_verify        on;
>        proxy_ssl_verify_depth  2;
>        proxy_ssl_session_reuse on;
>     }
> }
>
> If I comment proxy_ssl* parameters on NGINX, the connection works between "Ubuntu server (with the MySQL Client)" and "MYSQL Database (with SSL activated)" throught "NGINX".
>
> Thanks all
>
>
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx