以下是使用OpenSSL配置Ubuntu数据库安全的步骤,以MySQL和PostgreSQL为例:
sudo apt update && sudo apt install openssl openssl genrsa -out ca-key.pem 2048 openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-req.pem openssl x509 -req -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-req.pem openssl x509 -req -days 3650 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem sudo mkdir -p /etc/mysql/ssl sudo mv ca-cert.pem server-cert.pem server-key.pem /etc/mysql/ssl/ sudo chown -R mysql:mysql /etc/mysql/ssl sudo chmod 600 /etc/mysql/ssl/*.pem /etc/mysql/my.cnf,在 [mysqld] 部分添加:[mysqld] ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem require_secure_transport=ON # 强制使用SSL连接 sudo systemctl restart mysql mysql -u root -p --ssl-ca=/etc/mysql/ssl/ca-cert.pem -e "SHOW VARIABLES LIKE 'have_ssl';" server.crt、server.key、ca.crt)放置到 /var/lib/postgresql/data/ 或指定路径。postgresql.conf:ssl = on ssl_cert_file = '/path/to/server.crt' ssl_key_file = '/path/to/server.key' ssl_ca_file = '/path/to/ca.crt' # 可选,双向认证需配置 pg_hba.conf,添加SSL连接规则:# 允许SSL连接 hostssl all all 0.0.0.0/0 md5 # 或双向认证(需客户端提供证书) # hostssl all all 0.0.0.0/0 cert clientcert=1 sudo systemctl restart postgresql psql 命令行工具:psql "host=localhost port=5432 dbname=postgres user=postgres sslmode=require" /etc/ssl/openssl.cnf,在 [system_default_sect] 中设置:MinProtocol = TLSv1.2 CipherString = HIGH:!aNULL:!MD5 ufw)限制数据库端口(MySQL:3306,PostgreSQL:5432)的访问范围:sudo ufw allow from <trusted_ip> to any port 3306 sudo ufw enable 
