From f1181f1121b89d32dc1ee65d6d1cebf1123981c4 Mon Sep 17 00:00:00 2001 From: bwlfhu Date: Fri, 23 May 2025 12:55:21 +0800 Subject: [PATCH] Fix mysql tls enable (#6807) --- weed/command/scaffold/filer.toml | 4 +++ weed/filer/mysql/mysql_store.go | 44 +++++++++++++++++++++++++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/weed/command/scaffold/filer.toml b/weed/command/scaffold/filer.toml index c834c9689..e9f140576 100644 --- a/weed/command/scaffold/filer.toml +++ b/weed/command/scaffold/filer.toml @@ -54,6 +54,10 @@ enabled = false # dsn will take priority over "hostname, port, username, password, database". # [username[:password]@][protocol[(address)]]/dbname[?param1=value1&...¶mN=valueN] dsn = "root@tcp(localhost:3306)/seaweedfs?collation=utf8mb4_bin" +enable_tls = false +ca_crt = "" # ca.crt dir when enable_tls set true +client_crt = "" # mysql client.crt dir when enable_tls set true +client_key = "" # mysql client.key dir when enable_tls set true hostname = "localhost" port = 3306 username = "root" diff --git a/weed/filer/mysql/mysql_store.go b/weed/filer/mysql/mysql_store.go index f1a246575..314bb8b2f 100644 --- a/weed/filer/mysql/mysql_store.go +++ b/weed/filer/mysql/mysql_store.go @@ -1,9 +1,12 @@ package mysql import ( + "crypto/tls" + "crypto/x509" "database/sql" "fmt" "github.com/go-sql-driver/mysql" + "os" "strings" "time" @@ -15,7 +18,8 @@ import ( ) const ( - CONNECTION_URL_PATTERN = "%s:%s@tcp(%s:%d)/%s?collation=utf8mb4_bin" + CONNECTION_URL_PATTERN = "%s:%s@tcp(%s:%d)/%s?collation=utf8mb4_bin" + CONNECTION_TLS_URL_PATTERN = "%s:%s@tcp(%s:%d)/%s?collation=utf8mb4_bin&tls=mysql-tls" ) func init() { @@ -44,11 +48,15 @@ func (store *MysqlStore) Initialize(configuration util.Configuration, prefix str configuration.GetInt(prefix+"connection_max_open"), configuration.GetInt(prefix+"connection_max_lifetime_seconds"), configuration.GetBool(prefix+"interpolateParams"), + configuration.GetBool(prefix+"enable_tls"), + configuration.GetString(prefix+"ca_crt"), + configuration.GetString(prefix+"client_crt"), + configuration.GetString(prefix+"client_key"), ) } func (store *MysqlStore) initialize(dsn string, upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database string, maxIdle, maxOpen, - maxLifetimeSeconds int, interpolateParams bool) (err error) { + maxLifetimeSeconds int, interpolateParams bool, enableTls bool, caCrtDir string, clientCrtDir string, clientKeyDir string) (err error) { store.SupportBucketTable = false if !enableUpsert { @@ -60,8 +68,38 @@ func (store *MysqlStore) initialize(dsn string, upsertQuery string, enableUpsert UpsertQueryTemplate: upsertQuery, } + if enableTls { + rootCertPool := x509.NewCertPool() + pem, err := os.ReadFile(caCrtDir) + if err != nil { + return err + } + if ok := rootCertPool.AppendCertsFromPEM(pem); !ok { + return fmt.Errorf("failed to append root certificate") + } + + clientCert := make([]tls.Certificate, 0) + if cert, err := tls.LoadX509KeyPair(clientCrtDir, clientKeyDir); err == nil { + clientCert = append(clientCert, cert) + } + + tlsConfig := &tls.Config{ + RootCAs: rootCertPool, + Certificates: clientCert, + MinVersion: tls.VersionTLS12, + } + err = mysql.RegisterTLSConfig("mysql-tls", tlsConfig) + if err != nil { + return err + } + } + if dsn == "" { - dsn = fmt.Sprintf(CONNECTION_URL_PATTERN, user, password, hostname, port, database) + pattern := CONNECTION_URL_PATTERN + if enableTls { + pattern = CONNECTION_TLS_URL_PATTERN + } + dsn = fmt.Sprintf(pattern, user, password, hostname, port, database) if interpolateParams { dsn += "&interpolateParams=true" }