Starting with the release of proxysql-admin 2.0.15, the proxysql-admin 2.x series can now encrypt the credentials needed to access proxysql and cluster nodes. This only applies to the proxysql-admin configuration, this does not change the ProxySQL config, so those credentials are still unencrypted.
The credentials file is the unencrypted file containing the usernames, passwords, hostnames, and ports needed to connect to ProxySQL and PXC (Percona XtraDB Cluster).
The proxysql-login-file tool is used to encrypt the credentials file. This encrypted file is known as a login-file. This login-file can then be used by the proxysql-admin and proxysql-status scripts.
Note: This feature requires OpenSSL v1.1.1 and above (with the exception of Ubuntu 16.04). Please see the supported platforms topic below.
Configuration Precedence
- command-line options
- the encrypted login-file options (if the login-file is used)
- the unencrypted proxysql-admin configuration file values
Example Usage
# create the credentials file
$ echo "monitor.user=monitor" > credentials.cnf
$ echo "monitor.password=password" >> credentials.cnf
# Choose a password
$ passwd="secret"
# Method (1) : Encrypt this data with --password
$ proxysql-login-file --in credentials.cnf --out login-file.cnf --password=${passwd}
# Method (2a) : Encrypt the data with --password-file
# Sending the password via the command-line is insecure,
# it's better to use --password-file so that the
# password doesn't show up in the command-line
$ proxysql-login-file --in credentials.cnf --out login-file.cnf \
--password-file=<(echo "${passwd}")
# Method (2b) : Running the command using sudo will not work with
# bash's process substition. In this case, sending the
# password via stdin is another option.
$ sudo echo "${passwd}" | proxysql-login-file --in credentials.cnf --out login-file.cnf \
--password-file=/dev/stdin
# Method (3) : The script will prompt for the password
# if no password is provided via the command-line options.
$ proxysql-login-file --in credentials.cnf --out login-file.cnf
Enter the password:
# Remove the unencrypted credentials file
$ rm credentials.cnf
# Call the proxysql-admin script with the login-file
$ proxysql-admin --enable --login-file=login-file.cnf \
--login-password-file=<(echo "${passwd}")
This script will assist with configuring ProxySQL for use with
Percona XtraDB Cluster (currently only PXC in combination
with ProxySQL is supported)
...
# Call proxysql-status with the login-file
$ proxysql-status --login-file=login-file.cnf \
--login-password-file=<(echo "${passwd}")
............ DUMPING MAIN DATABASE ............
***** DUMPING global_variables *****
+--------------------------------------------------------------+-----------------------------+
| variable_name | variable_value |
+--------------------------------------------------------------+-----------------------------+
| mysql-default_charset | utf8 |
|
...
Credentials File Format
# -------------------------------- # This file is constructed as a set of "name=value" pairs. # Notes: # (1) Comment lines start with '#' and must be on separate lines # (2) the name part # - The only acceptable names are shown below in this example. # Other values will be ignored. # (3) The value part: # - This does NOT use quotes, so any quote character will be part of the value # - The entire line will be used (be careful with spaces) # # If a value is not specified here, than the default value from the # configuration file will be used. # -------------------------------- # -------------------------------- # proxysql admin interface credentials. # -------------------------------- proxysql.user=admin proxysql.password=admin proxysql.host=localhost proxysql.port=6032 # -------------------------------- # PXC admin credentials for connecting to a PXC node. # -------------------------------- cluster.user=admin cluster.password=admin cluster.host=localhost cluster.port=4110 # -------------------------------- # proxysql monitoring user. proxysql admin script will create # this user in PXC to monitor a PXC node. # -------------------------------- monitor.user=monitor monitor.password=monitor # -------------------------------- # Application user to connect to a PXC node through proxysql # -------------------------------- cluster-app.user=cluster_one cluster-app.password=passw0rd
Requirements and Supported Platforms
OpenSSL 1.1.1 (and higher) is an installation requirement (with the exception of Ubuntu 16.04 (xenial), see the comment below).
- Centos 7
The OpenSSL 1.1.1+ package must be installed. This can be installed with
yum install openssl11
This command will install OpenSSL 1.1 alongside the system installation and the script will use the openssl11 binary.
- Centos 8
The default version of OpenSSL is v1.1.1
- Ubuntu 16.04 (xenial)
For Ubuntu xenial (16.04), installation of OpenSSL v1.1.1+ is not required, a purpose-built binary used for the encryption/decryption (proxysql-admin-openssl) will be installed alongside the proxysql-admin scripts.
- Ubuntu 18.04 (bionic)
The default version of OpenSSL is v1.1.1