Re: Error : NGINX - MYSQL TLS encryption and

Wed, 20 Nov 2019 03:40:19 -0800 

Hi,

On Wed, Nov 20, 2019 at 10:53:42AM +0000, kev jr wrote:
> Hi all,
> 
> Question 1
> Is it possible to have NGINX reverse proxy to multiple MySQL servers 
> listening on the same port using different names like you can with http? We 
> don't want to perform any load balancing operation on them, we just want to 
> be able to redirect to MySQL instances based on a logical name, same as on 
> http.

If by logical name you mean TLS SNI then it is possible.  You need to use the
ssl preread module:

http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html#ssl_preread

> Question 2
> When I try to implement TLS encryption between NGINX and MYSQL Database 
> server, I have the following error on my MySQL Client : ERROR 2013 (HY000): 
> Lost connection to MySQL server at 'reading initial communication packet', 
> system error
> 
> I have the following configuration : Ubuntu server with the MySQL Client // 
> NGINX (with the configuration below) // MYSQL Database (with SSL activated)
> stream {
> ​
>     upstream mysql1 {​
>         server 172.31.39.168:3306;​
> ​   }​
> ​
>     server {​
>         listen     3306;​
>         proxy_pass mysql1;​
>         proxy_ssl  on;​
> ​
>          proxy_ssl_certificate         /etc/ssl/client-cert.pem;​
>          proxy_ssl_certificate_key     /etc/ssl/client-key.pem;​
>          #proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;​
>          #proxy_ssl_ciphers             HIGH:!aNULL:!MD5;​
>         proxy_ssl_trusted_certificate /etc/ssl/ca-cert.pem;​
> ​
>        proxy_ssl_verify        on;​
>        proxy_ssl_verify_depth  2;​
>        proxy_ssl_session_reuse on;​
>     }​
> }​
> 
> If I comment proxy_ssl* parameters on NGINX, the connection works between 
> "Ubuntu server (with the MySQL Client)" and "MYSQL Database (with SSL 
> activated)" throught "NGINX".

I can only assume that the MySQL port you connect to does not expect TLS
connections.  You should probably connect to a different port when proxy_ssl
is enabled.

> 
> Thanks all
> 
> 
> 

> _______________________________________________
> nginx-devel mailing list
> [email protected]
> http://mailman.nginx.org/mailman/listinfo/nginx-devel


-- 
Roman Arutyunyan
_______________________________________________
nginx-devel mailing list
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to