Gearman Experiment 
Saturday, October 25, 2014, 06:40 PM - - Linux Notes
Posted by Administrator
You can experiment with Gearman quickly right from the command line:
Launch the agent, the Gearman daemon:
$ sudo /usr/sbin/gearmand --daemon

Run a worker with the command-line utility gearman. The worker needs a name and can run any command-line utility. For example, you can create a worker to list the contents of a directory. The -f argument names the function the worker is providing:
$ gearman -w -f ls -- ls -lh

The last piece of the puzzle is a producer, or a job that generates lookup requests. You can generate a request with gearman, too. Again, use the -f option to spell out which service you want help from:
$ gearman -f ls < /dev/null
drwxr-xr-x@ 43 supergiantrobot  staff   1.4K Nov 15 15:07 gearman-0.6.0
-rw-r--r--@  1 supergiantrobot  staff    29K Oct  1 04:44 gearman-0.6.0.tgz
-rw-r--r--@  1 supergiantrobot  staff   5.8K Nov 15 15:32 gearman.html
drwxr-xr-x@ 32 supergiantrobot  staff   1.1K Nov 15 14:04 gearmand-0.10
-rw-r--r--@  1 supergiantrobot  staff   5.3K Jan  1  1970 package.xml
drwxr-xr-x  47 supergiantrobot  staff   1.6K Nov 15 14:45 pecl-gearman


source (as of 25-10-2014)
http://www.ibm.com/developerworks/opens ... p-gearman/

[ view entry ] ( 1626 views )   |  print article
Mimicking Ajax Call with PHP 
Tuesday, October 21, 2014, 05:08 PM - - PHP Notes
Posted by Administrator
 /*********************************************************
 |
 | Creates Ajax-like request
 |
 *********************************************************/
 function sendRequest($params,$url)
 {
  $postdata = http_build_query($params);
  $opts = array('http' =>
      array(
          'method'  => 'POST',
          'header'  => "Content-type: application/x-www-form-urlencoded \r\n".
                       "X-Requested-With: XMLHttpRequest \r\n",
          'content' => $postdata
      )
  );
  $context  = stream_context_create($opts);
  return json_decode(
              file_get_contents($url.time(), false, $context)
          );
 }

   $params=array(
           'email' => 'me[at]example.com',
           'choCountry' => 'Mexico',
           'zip' => '91744',
       );
   $url= 'http://www.barney-example.com/subscribe'; 
   $data = sendRequest($params,$url);


[ view entry ] ( 1597 views )   |  print article
GNU Sed - Tasks 101 
Monday, October 6, 2014, 10:58 PM - - Linux Notes
Posted by Administrator
// replacing commas for pipes in csv file
sed 's/,/|/g' original.csv > piped.txt

// alternate syntax to replace commas for pipes
cat original.csv | sed 's/,/|/g' > piped.txt

// printing lines that contain "Angel"
sed -n '/Angel/p' names.txt
grep "Angel" names.txt

// printing lines that contain "Angel" along with line number
cat -n names.txt | sed -n '/Angel/p'
grep -n "Angel" names.txt

// ...case-insensitive
cat -n names.txt | sed -n '/Angel/Ip'
grep -ni "Angel" names.txt




Finds all files and replace single quotes with double quoutes in place,sed is always greedy.
 find ./ -type f -exec sed -i -r "s/'playlist_us([\.a-zA-Z0-9]*)'/\"playlist_us\1\"/" {} \;


5/10/2018 - looks like the following is another way to accomplish the same crap
[acool@acool2 greenentre]$ find public/ -type f | xargs sed -i 's/\/6280\/Entre/\/6280\/greenEntre/g'

5/10/2018 - I also found the following interesting
grep -rl 'SearchString' ./ | xargs sed -i 's/REPLACESTRING/WITHTHIS/g'


[ view entry ] ( 1401 views )   |  print article
Load Balancing Riak with Keepalived (Draft) 
Saturday, October 4, 2014, 11:40 PM - - Riak Notes
Posted by Administrator
This is a working draft, like lots of things in this site. For dev purposes firewalld was turned off.

Cluster VIP:172.16.1.213

TODO: VRRP failover setup for load balancer (keepalived)
ALSO: It looks like I configured net.ipv4.ip_forward=1 in load balancer but failed to document it, check this when doing a new load balancer.

#####################Edge01 Configuration (loadbalancer 1)#########################
//keepalived.conf
! Configuration File for keepalived

global_defs {
#   notification_email {
#     me[at]example.net

#   }
#   notification_email_from not-replay[at]example.net
#   smtp_server 192.168.200.1
#   smtp_connect_timeout 30
   router_id LVS_DEVEL
}

vrrp_instance VI_1 {
    state MASTER
    interface eth0
    virtual_router_id 51
    priority 100
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
    #    172.16.1.213
    #    172.16.1.254
    }
}

virtual_server 172.16.1.213 8098  {
    delay_loop 6
    lb_algo wlc
    lb_kind DR
    nat_mask 255.255.255.0
    persistence_timeout 50
    protocol TCP

    real_server 172.16.1.113 8098 {
        weight 1
        TCP_CHECK {
         connect_timeout 3
         connect_port 8098
        }
    }

    real_server 172.16.1.112 8098 {
        weight 100
        TCP_CHECK {
        connect_timeout 3
       connect_port 8098
        }
    }

    real_server 172.16.1.111 8098 {
        weight 100
        TCP_CHECK {
         connect_timeout 3
         connect_port 8098
        }
    }
}

//ifconfig (secondary address for VIP)
[acool@edge01 ~]$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:24:54:3A:66:4D
          inet addr:172.16.1.200  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::224:54ff:fe3a:664d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:385 errors:0 dropped:0 overruns:0 frame:0
          TX packets:243 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:37042 (36.1 KiB)  TX bytes:35302 (34.4 KiB)

eth0:0    Link encap:Ethernet  HWaddr 00:24:54:3A:66:4D
          inet addr:172.16.1.213  Bcast:172.16.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:4 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:240 (240.0 b)  TX bytes:240 (240.0 b)

[acool@edge01 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:24:54:3a:66:4d brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.200/24 brd 172.16.1.255 scope global eth0
    inet 172.16.1.213/24 brd 172.16.1.255 scope global secondary eth0:0
    inet6 fe80::224:54ff:fe3a:664d/64 scope link
       valid_lft forever preferred_lft forever


#####################Real Server 2 ( 99% same output for other real servers) #########################
//DR-IPVS file
#!/bin/bash

VIP=172.16.1.213
host=`/bin/hostname`

/sbin/ifconfig lo down
/sbin/ifconfig lo up
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce


/sbin/ifconfig lo:1 $VIP netmask 255.255.255.255 up
/sbin/route add -host $VIP dev lo:1


exit 1

//ifconfig
[acool@app02 ~]$ ifconfig
ens1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.1.112  netmask 255.255.255.0  broadcast 172.16.1.255
        inet6 fe80::216:d4ff:fe45:8ae1  prefixlen 64  scopeid 0x20<link>
        ether 00:16:d4:45:8a:e1  txqueuelen 1000  (Ethernet)
        RX packets 564  bytes 53931 (52.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 1
        TX packets 428  bytes 57911 (56.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 13  bytes 1360 (1.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13  bytes 1360 (1.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo:1: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 172.16.1.213  netmask 255.255.255.255
        loop  txqueuelen 0  (Local Loopback)

[acool@app02 ~]$
[acool@app02 ~]$
[acool@app02 ~]$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet 172.16.1.213/32 scope global lo:1
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 00:16:d4:45:8a:e1 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.112/24 brd 172.16.1.255 scope global ens1
       valid_lft forever preferred_lft forever
    inet6 fe80::216:d4ff:fe45:8ae1/64 scope link
       valid_lft forever preferred_lft forever



edge01 verification (keealived load balancer):
[acool@edge01 ~]$
[acool@edge01 ~]$
[acool@edge01 ~]$ sudo ipvsadm
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  172.16.1.213:8098 wlc persistent 50
  -> 172.16.1.111:8098            Route   100    1          0
  -> 172.16.1.112:8098            Route   100    0          0
  -> 172.16.1.113:8098            Route   1      0          0
[acool@edge01 ~]$
[acool@edge01 ~]$
[acool@edge01 ~]$


Riak ring verification:
[acool@app02 ~]$
[acool@app02 ~]$
[acool@app02 ~]$ sudo riak-admin member_status
================================= Membership ==================================
Status     Ring    Pending    Node
-------------------------------------------------------------------------------
valid      32.8%      --      'riak@172.16.1.111'
valid      32.8%      --      'riak@172.16.1.112'
valid      34.4%      --      'riak@172.16.1.113'
-------------------------------------------------------------------------------
Valid:3 / Leaving:0 / Exiting:0 / Joining:0 / Down:0
[acool@app02 ~]$
[acool@app02 ~]$
[acool@app02 ~]$
[acool@app02 ~]$ sudo riak-admin ring-status
================================== Claimant ===================================
Claimant:  'riak@172.16.1.113'
Status:     up
Ring Ready: true

============================== Ownership Handoff ==============================
No pending changes.

============================== Unreachable Nodes ==============================
All nodes are up and reachable

[acool@app02 ~]$


Finally, storing data in riak:
Angels-Mac-mini:~ webmaster$ curl -v -XPUT 172.16.1.213:8098/buckets/test-bucket/keys/friends?returnbody=true  -H "Content-Type: application/json" -d '{"Name":"Angel Cool"}'


Fetching data:
http://172.16.1.213:8098/buckets/test-bucket/keys/friends


Or using any of the real servers:
http://172.16.1.111:8098/buckets/test-bucket/keys/friends


Adding another node at a later time:
[webmaster@dev ~]$ sudo riak-admin cluster join riak@172.16.1.111
[webmaster@dev ~]$ sudo riak-admin cluster plan
[webmaster@dev ~]$ sudo riak-admin cluster commit


If plan does not look good:
[webmaster@dev ~]$ sudo riak-admin cluster clear



Riak must be bound to all interfaces: 0.0.0.0:8098

[aesteban@localhost ~]$ 
[aesteban@localhost ~]$ riak-admin status | grep riak_kv_version
riak_kv_version : <<"1.4.7-0-g5daeedd">>
[aesteban@localhost ~]$



[ view entry ] ( 1766 views )   |  print article
Restrict SFTP Users to Home Folder 
Friday, August 22, 2014, 09:42 PM - - Linux Notes
Posted by Administrator
Here is a guide for setting up SFTP users who’s access is restricted to their home directory.

Add the following to the end of the /etc/ssh/sshd_config file:
Subsystem sftp internal-sftp

# This section must be placed at the very end of sshd_config
Match Group sftponly
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no

This means that all users in the ‘sftponly’ group will be chroot’d to their home directory, where they only will be able to run internal SFTP processes.

Now you can create the group sftponly by running the following command:
$ groupadd sftponly

Set a user’s group:
$ usermod steve -g sftponly

To deny SSH shell access, run the following command:
$ usermod steve -s /bin/false

And set the user’s home directory:
$ usermod steve -d /folder

Finally, you probably need to restart SSH
$ service ssh restart

The SSH part should now be in order, but you should make sure that file permissions also are correct. If the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and should have permissions along the lines of 755 or 750.

In other words, every folder leading up to and including the home folder must be owned by root, otherwise you will get the following error after logging in:

Write failed: Broken pipe
Couldn't read packet: Connection reset by peer



--------------------------------------------------
Credit (link as of 8-22-2014):
https://bensmann.no/restrict-sftp-users-to-home-folder/
Thanks Mr. Bensmann

NOTE: It's on my bucket list to test this.

[ view entry ] ( 1467 views )   |  print article
CentOS 7.- Using FirewallD instead of IPtables ..changes, changes and more changes. 
Wednesday, July 30, 2014, 05:47 PM - - Linux Notes
Posted by Administrator

Presentation

Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.

To know if Firewalld is running, type:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago
   ...

or alternatively:

# firewall-cmd --state
running

Note: If Firewalld is not running, the command displays not running.

If you’ve got several network interfaces in IPv4, you will have to activate ip_forwarding.
To do that, paste the following line in the /etc/sysctl.conf file:

net.ipv4.ip_forward=1

Then, activate the configuration:

# sysctl -p

Although Firewalld is the RHEL 7 way to deal with firewalls and provides many improvements, iptables can still be used.

Zone management

Also, a new concept of zone appears : all network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined.

To get the default zone, type:

# firewall-cmd --get-default-zone
public

To get the list of zones where you’ve got network interfaces assigned to, type:

# firewall-cmd --get-active-zones
public
interfaces: eth0

To get the list of all the available zones, type:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To get all the details about the public zone, type:

# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

To change the default zone to home permanently, type:

# firewall-cmd --set-default-zone=home
success

Network interfaces can be assigned to a zone in a temporary (until the next reboot or reload) or permanent way.

To assign the eth0 network interface temporary to the internal zone, type:

# firewall-cmd --zone=internal --change-interface=eth0
success

To assign the eth0 network interface permanently to the internal zone (a file called internal.xml is created in the /etc/firewalld/zones directory), type:

# firewall-cmd --permanent --zone=internal --change-interface=eth0
success

To know which zone is associated with the eth0 interface, type:

# firewall-cmd --get-zone-of-interface=eth0
internal

Service management

After assigning each network interface to a zone, it is now possible to add services to each zone.
To allow the http service permanently in the internal zone, type:

# firewall-cmd --permanent --zone=internal --add-service=http
success
# firewall-cmd --reload

Note1: Type –remove-service=http to deny the http service.
Note2: The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.

To get the list of services in the default zone, type:

# firewall-cmd --list-services
dhcpv6-client ssh

Note: To get the list of the services in a particular zone, add the –zone= option.

Service firewall configuration

With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.

For example, it is the case of the HAProxy service. There is no firewall configuration associated.
Create the /etc/firewalld/services/haproxy.xml and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
<service>
 <short>HAProxy</short>
 <description>HAProxy load-balancer</description>
 <port protocol="tcp" port="80"/>
</service>

Assign the correct SELinux context and file permissions to the haproxy.xml file:

# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml

Add the HAProxy service to the default zone permanently and reload the firewall configuration:

# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload

Port management

Port management follows the same model as service management.

To allow the 443/tcp port temporary in the internal zone, type:

# firewall-cmd --zone=internal --add-port=443/tcp
success
# firewall-cmd --reload

Note: type –remove-port=443/tcp to deny the port.

To get the list of ports open in the internal zone, type:

# firewall-cmd --zone=internal --list-ports
443/tcp

Masquerading

If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

To set up masquerading on the external zone, type:

# firewall-cmd --zone=external --add-masquerade

Note1: To remove masquerading, use the –remove-masquerade option.
Note2: To know if masquerading is active in a zone, use the –query-masquerade option.

Port forwarding

In addition to the masquerading, you can want to use port forwarding.
If you want all packets intended for port 22 to be now forwarded to port 3753, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

Note1: To remove port forwarding, use the –remove-forward-port option.
Note2: To know if port forwarding is active in a zone, use the –query-forward-port option.
Also, if you want to define the destination ip address, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=10.0.0.1

Direct rules

It is still possible to set specific rules by using the direct mode (here to open the tcp port 9000) that by-passes the Firewalld interface:

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
success
# firewall-cmd --reload

Note: This last example has been borrowed from Khosro Taraghi’s blog.

To display all the direct rules added, type:

# firewall-cmd --direct --get-all-rules

Sources: RHEL7 Security Guide, wiki Fedora project.



All credit to:
http://www.certdepot.net/rhel7-get-started-firewalld/

..thanks guys :)

[ view entry ] ( 1886 views )   |  print article
JS cookies for everyone!! 
Friday, July 11, 2014, 06:50 PM - - Misc. Notes
Posted by Administrator
Javascript functions for cookies 2.0


var cookie = {
	put: function(name, value, expire) {
		var expires = "";

		if (expire) {
			var date = new Date();
			date.setTime(date.getTime() + (expire * 24 * 60 * 60 * 1000));
			expires = "; expires=" + date.toGMTString();
		}

		document.cookie = name +"="+ value + expires + "; path=/";
	},

	get: function(name) {
		var nameEQ = name + "=";
		var ca = document.cookie.split(';');

		for(var j=0; j < ca.length; j++) {
			var c = ca[j];

			while (c.charAt(0) == ' ')
				c = c.substring(1,c.length);

			if (c.indexOf(nameEQ) == 0)
				return c.substring(nameEQ.length,c.length);
		}

		return null;
	},

	delete: function(name) {
		this.put(name, '', -1);
	}
};



[ view entry ] ( 1572 views )   |  print article
MySQL – Generating Row Number for Each Row Using Variables in Query. (Ranking query results) 
Wednesday, July 2, 2014, 10:10 PM - - MySQL Notes
Posted by Administrator
Ranking field for result sets.

MySQL does not have any system function like SQL Server’s row_number () to generate the row number for each row. However, it can be generated using the variable in the SELECT statement.

The following table has five rows.

CREATE TABLE mysql_testing(db_names VARCHAR(100));
INSERT INTO mysql_testing
SELECT 'SQL Server' UNION ALL
SELECT 'MySQL' UNION ALL
SELECT 'Oracle' UNION ALL
SELECT 'MongoDB' UNION ALL
SELECT 'PostGreSQL';


Now you can generate the row number using a variable in two methods

Method 1 : Set a variable and use it in a SELECT statement
SET @row_number:=0;
SELECT @row_number:=@row_number+1 AS row_number,db_names FROM mysql_testing
ORDER BY db_names;


Method 2 : Use a variable as a table and cross join it with the source table

SELECT @row_number:=@row_number+1 AS rank,db_names FROM mysql_testing,
(SELECT @row_number:=0) AS t 
ORDER BY db_names;


Both the above methods return the following result

row_number db_names
1 MongoDB
2 MySQL
3 Oracle
4 PostGreSQL
5 SQL Server

//source (as of 6-2-2014)
http://blog.sqlauthority.com/2014/03/08 ... -variable/

//my 2 cents -ac
select @rn := @rn+1 AS RANK,t1.* from (

 select * from Franchises limit 500

) t1, (SELECT @rn:=0) t2;";




[ view entry ] ( 1597 views )   |  print article
GPG Basic Tasks 
Monday, June 30, 2014, 11:20 AM - - Linux Notes
Posted by Administrator
//encrypting a message
gpg -r "destination_email@example.net" --encrypt --armor
"message"
enter+ctrl+d

//decrypting a message
gpg --decrypt
"armored message"
ctrl+d

//importing public/private keys
gpg --import "key-name"

//listing keys
gpg -k
gpg -K

//create new key pair
gpg --gen-key 


[acool@localhost ~]$ date
Fri Apr 12 12:44:41 PM PDT 2024
[acool@localhost ~]$
[acool@localhost ~]$ gpg --list-keys
...


[ view entry ] ( 1903 views )   |  print article
MySQL SSL Setup 
Sunday, May 11, 2014, 11:45 PM - - MySQL Notes
Posted by Administrator
//Server and client "Common Name" in certificates must be different than CA's :
http://stackoverflow.com/questions/2045 ... 4#23599624

1.- generate CA key and certificate(2 commands create 2 files)
openssl genrsa 2048 >ca.key //creates ca.key
openssl req -new -x509 -nodes -days 3600 -key 'ca.key' > 'ca.crt' //creates certificate


2.- generate server key and signed certificate(2 commands create 3 files)
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout 'server.key' > server.csr' //create key and csr
openssl x509 -req -in 'server.csr' -days 3600 -CA 'ca.crt' -CAkey 'ca.key' -set_serial 01 > 'server.crt' //creates certificate


3.- generate client key and certificate (2 commands create 3 files)
openssl req -newkey rsa:2048 -days 3600 -nodes -keyout 'client.key' > 'client.csr' //creates key and csr
openssl x509 -req -in 'client.csr' -days 3600 -CA 'ca.crt' -CAkey 'ca.key' -set_serial 01 > 'client.crt'


4.- create SSL user:
GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'secret-passwd' REQUIRE SSL;


5.- update my.cnf

[mysqld]
ssl-ca		= "ca.crt"
ssl-cert	= "server.crt"
ssl-key		= "server.key"

[client]
ssl-ca=ca.crt
ssl-cert=client.crt
ssl-key=client.key



//MySQL workbench, use: ca.key, client.crt and client.key without password:
openssl rsa -in client.key -out client-nopasswd.key


[ view entry ] ( 7355 views )   |  print article

<<First <Back | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next> Last>>


2024 By Angel Cool