joby/webserver-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

updated mysql config

Browse source
This commit is contained in:
Joby 2024-10-24 19:50:41 -06:00
parent ab66c89825
commit 91ce748da2
1 changed files with 31 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
install/mysql.sh
View file

@ -18,6 +18,18 @@ service nginx restart
# Generate SSL certificate # Generate SSL certificate
certbot certonly --webroot -w /var/www/default -d $HOSTNAME --agree-tos --register-unsafely-without-email --non-interactive certbot certonly --webroot -w /var/www/default -d $HOSTNAME --agree-tos --register-unsafely-without-email --non-interactive
# Create MySQL SSL directory
mkdir -p /etc/mysql/ssl
chmod 750 /etc/mysql/ssl
# Copy SSL certificates to MySQL directory
cp /etc/letsencrypt/live/$HOSTNAME/fullchain.pem /etc/mysql/ssl/
cp /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/mysql/ssl/
# Set proper ownership and permissions
chown -R mysql:mysql /etc/mysql/ssl
chmod 600 /etc/mysql/ssl/*
# Configure MySQL for Unix socket authentication # Configure MySQL for Unix socket authentication
mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH auth_socket;" mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH auth_socket;"
mysql -e "DELETE FROM mysql.user WHERE User='';" mysql -e "DELETE FROM mysql.user WHERE User='';"
@ -36,12 +48,25 @@ sed -i '/^\[mysqld\]/a log_error = /var/log/mysql/error.log' /etc/mysql/mysql.co
cat > /etc/mysql/mysql.conf.d/ssl.cnf << EOL cat > /etc/mysql/mysql.conf.d/ssl.cnf << EOL
[mysqld] [mysqld]
# SSL Configuration # SSL Configuration
ssl-ca=/etc/letsencrypt/live/$HOSTNAME/chain.pem ssl=ON
ssl-cert=/etc/letsencrypt/live/$HOSTNAME/cert.pem ssl_cert=/etc/mysql/ssl/fullchain.pem
ssl-key=/etc/letsencrypt/live/$HOSTNAME/privkey.pem ssl_key=/etc/mysql/ssl/privkey.pem
require_secure_transport=ON require_secure_transport=ON
EOL EOL
# Create certbot renewal hook
mkdir -p /etc/letsencrypt/renewal-hooks/post
cat > /etc/letsencrypt/renewal-hooks/post/mysql-ssl-cert-copy.sh << EOL
#!/bin/bash
cp /etc/letsencrypt/live/$HOSTNAME/fullchain.pem /etc/mysql/ssl/
cp /etc/letsencrypt/live/$HOSTNAME/privkey.pem /etc/mysql/ssl/
chown mysql:mysql /etc/mysql/ssl/*
chmod 600 /etc/mysql/ssl/*
systemctl restart mysql
EOL
chmod +x /etc/letsencrypt/renewal-hooks/post/mysql-ssl-cert-copy.sh
# Restart MySQL to apply changes # Restart MySQL to apply changes
systemctl restart mysql systemctl restart mysql
@ -59,10 +84,6 @@ action = iptables-multiport[name=mysql]
nginx-banned-ips nginx-banned-ips
EOL EOL
# Ensure fail2ban can read the MySQL log
# Note: maybe not necessary on Ubuntu, as fail2ban runs as root
# usermod -a -G adm fail2ban
# Create MySQL auth filter for fail2ban # Create MySQL auth filter for fail2ban
tee /etc/fail2ban/filter.d/mysql.conf << 'EOL' tee /etc/fail2ban/filter.d/mysql.conf << 'EOL'
[Definition] [Definition]
@ -73,4 +94,7 @@ EOL
# UFW setup # UFW setup
ufw allow 3306/tcp ufw allow 3306/tcp
# Verify SSL is enabled
mysql -e "SHOW VARIABLES LIKE '%ssl%';"
echo "MySQL installation, SSL configuration, and fail2ban setup completed." echo "MySQL installation, SSL configuration, and fail2ban setup completed."