服务端
ssl>openssl req -new -text -out server.req -subj '/C=CN/ST=Zhejiang/L=Hangzhou/O=dbpaas/CN=dbpaas-ip-port' -passout pass:'xxx'
-passourt 意思是对输出文件的加密密码
- 删除passphrase
ssl>openssl rsa -in privkey.pem -out server.key -passin pass:'xxx'
-passin 这里是设置输入文件需要的密码
rm -f privkey.pem
- turn the certificate into a self-signed certificate and to copy the key and certificate to where the server will look for them
ssl>openssl req -x509 -in server.req -text -key server.key -out server.crt
- 修改权限
chmod 600 server.key
- 拷贝
mv -f server.crt server.key $PGDATA
- 修改参数
ssl = on
ssl_cert_file = 'server.crt' # (change requires restart)
ssl_key_file = 'server.key'
下面的不用改,pg默认
ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' # allowed SSL ciphers
# (change requires restart)
ssl_renegotiation_limit = 512MB # amount of data between renegotiations
- 重启数据库
pg_ctl restart -m fast
会有 SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
create extension sslinfo;
CREATE EXTENSION
digoal=# select ssl_is_used();
ssl_is_used
-------------
t
(1 row)
digoal=# select ssl_cipher();
ssl_cipher
--------------------
DHE-RSA-AES256-SHA
(1 row)
digoal=# select ssl_version();
ssl_version
-------------
TLSv1
(1 row)
客户端
psql "sslmode=require" -h 172.16.3.33 -p 1999 -U postgres -d pg
psql "sslmode=disable" -h 172.16.3.33 -p 1999 -U postgres -d pg
注意
- 只在主库上创建就好了,只要用到basebackup的都会拷贝相关的这两个文件
参考: https://github.com/digoal/blog/blob/master/201305/20130522_01.md https://www.jianshu.com/p/15b1d935a44b