To encrypt a connection between a mysql client and a mysql server, run two instances of stunnel, one on client site and other on MySQL remote site
Here’s steps how to do it
# wget http://www.stunnel.org/download/stunnel/src/stunnel-4.27.tar.gz # rpmbuild -ta stunnel-4.27.tar.gz # rpm -ivh /usr/src/redhat/RPMS/stunnel-4.27-1.i386.rpm
Create stunnel.pem cert on server site
# openssl genrsa -out privkey.pem 2048 # openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 # cat privkey.pem cacert.pem >> /etc/stunnel/stunnel.pem
Set the proper permissions on the resulting private key:
# chmod 0400 /etc/stunnel/stunnel.pem
Set the proper ownership of the stunnel chroot dir
# chown nobody:nobody /var/run/stunnel
Edit the stunnel configuration.
/etc/stunnel/stunnel.conf:
cert = /etc/stunnel/stunnel.pem chroot = /var/run/stunnel/ pid = /stunnel.pid setuid = nobody setgid = nobody [mysql] # Ensure the ‘connect’ line matches your squid port. Default is 3128 accept = 3307 connect = 127.0.0.1:3306
Start the stunnel server
# stunnel
Check if it run properly
# ps axu | stunnel nobody 7800 0.0 0.0 3800 972 ? Ss 11:52 0:00 stunnel
# netstat -pln | grep :3307 tcp 0 0 0.0.0.0:3307 0.0.0.0:* LISTEN 7800/stunnel
On client site
Edit /etc/stunnel/stunnel.conf
client = yes [mysql] accept = 127.0.0.1:3306 # Replace SERVER with the address of the server setup previously connect = SERVER:3307
Start Stunnel client
# stunnel
Now test mysql client connection
# mysql -h CLIENT -u YOURDBUSER -p
CLIENT = 127.0.0.1
done 🙂