防止漏洞扫描之保护 tidb 10080 端口
作者:TiDB 社区干货传送门
- 2024-12-13 北京
本文字数:11300 字
阅读完需:约 37 分钟
作者: pepezzzz 原文来源:https://tidb.net/blog/c1c55601
管理端口访问验证需求背景
集群的 TLS 状态
部署好的 TiDB 集群缩容成单 PD 节点后,可以使用 tiup cluster tls clustername enable 命令启用集群的 tls 功能。
[tidb@vm10-2-103-12 ~]$ tiup cluster display tidb-test1Cluster type: tidbCluster name: tidb-test1Cluster version: v6.5.6Deploy user: tidbSSH type: builtinTLS encryption: enabledCA certificate: /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crtClient private key: /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.pemClient certificate: /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crtDashboard URL: https://10.2.103.12:2479/dashboardGrafana URL: http://10.2.103.64:3100ID Role Host Ports OS/Arch Status Data Dir Deploy Dir-- ---- ---- ----- ------- ------ -------- ----------10.2.103.64:9193 alertmanager 10.2.103.64 9193/9194 linux/x86_64 Up /tidb-data-test1/alertmanager-9193 /tidb-deploy-test1/alertmanager-919310.2.103.64:3100 grafana 10.2.103.64 3100 linux/x86_64 Up - /tidb-deploy-test1/grafana-310010.2.103.12:2479 pd 10.2.103.12 2479/2480 linux/x86_64 Up|L|UI /tidb-data-test1/pd-2479 /tidb-deploy-test1/pd-247910.2.103.64:9290 prometheus 10.2.103.64 9290/12220 linux/x86_64 Up /tidb-data-test1/prometheus-9290 /tidb-deploy-test1/prometheus-929010.2.103.12:4100 tidb 10.2.103.12 4100/11080 linux/x86_64 Up - /tidb-deploy-test1/tidb-410010.2.103.28:4100 tidb 10.2.103.28 4100/11080 linux/x86_64 Up - /tidb-deploy-test1/tidb-410010.2.103.147:21160 tikv 10.2.103.147 21160/21180 linux/x86_64 Up /tidb-data-test1/tikv-21160 /tidb-deploy-test1/tikv-2116010.2.103.202:21160 tikv 10.2.103.202 21160/21180 linux/x86_64 Up /tidb-data-test1/tikv-21160 /tidb-deploy-test1/tikv-2116010.2.103.92:21160 tikv 10.2.103.92 21160/21180 linux/x86_64 Up /tidb-data-test1/tikv-21160 /tidb-deploy-test1/tikv-21160
复制代码
管理端口未实现访问控制
在集群启用 tls 后,PD 2379 等端口已经实现证书验证,但是扫描工具仍可以扫描出 go 语言组件的 debug/pprof 和 tidb-server cdc-server 等 api 接口,浏览器也能正常访问。如果进行安全备案说明,可能会被安排部门拒绝。
启用 TLS 后的集群证书
所有节点和组件的 ca 证书一致
[tidb@vm10-2-103-12 ~]$ md5sum /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt97eb790c1e0299fb1ffb7346f71e9fde /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/pd-2479/tls/ca.crt 97eb790c1e0299fb1ffb7346f71e9fde /tidb-deploy-test1/pd-2479/tls/ca.crt[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/tidb-4100/tls/ca.crt 97eb790c1e0299fb1ffb7346f71e9fde /tidb-deploy-test1/tidb-4100/tls/ca.crt
复制代码
[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crtsubject= /O=PingCAP/OU=TiUP/OU=tiup-cluster-client/CN=tidb-test1-client[tidb@vm10-2-103-12 ~]$ openssl x509 -text -in /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/ca.crt -nooutCertificate: Data: Version: 3 (0x2) Serial Number: 7b:22:10:dc:75:17:cb:29:ff:bc:b0:28:60:a0:9d:16 Signature Algorithm: sha256WithRSAEncryption Issuer: O=PingCAP, OU=TiUP Validity Not Before: May 5 06:46:18 2024 GMT Not After : Apr 23 06:46:18 2074 GMT Subject: O=PingCAP, OU=TiUP Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e8:c7:f2:bf:7c:8d:81:76:cd:07:05:b0:00:19:... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Certificate Sign X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 65:AA:D3:27:5D:EC:F3:53:C4:AE:46:8A:F1:E4:22:D1:A9:E8:DF:ED Signature Algorithm: sha256WithRSAEncryption 53:58:49:d7:7c:67:ec:30:d5:59:5b:58:76:19:3c:90:58:ba:...
复制代码
所有节点和组件的证书使用各自组件的 CN(common name,注意看证书中的 CN 配置值)和指定节点的 IP 地址,由于 PD 的 cert-allowed-cn 配置项只能设置一个值,所以 TiUP 当前版本配置各自组件的 CN 名称不符合要求。
[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/pd-2479/tls/pd.crt470ab67dc5b9d1f3d4f530a2467f02d3 /tidb-deploy-test1/pd-2479/tls/pd.crt[tidb@vm10-2-103-12 ~]$ md5sum /tidb-deploy-test1/tidb-4100/tls/tidb.crt 5c6ef0c2bf996231cccb22e6c3505b8f /tidb-deploy-test1/tidb-4100/tls/tidb.crt[tidb@vm10-2-103-12 ~]$ md5sum /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt07caa98266a24ba42828f0f01217b659 /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /tidb-deploy-test1/pd-2479/tls/pd.crtsubject= /O=PingCAP/OU=pd/OU=TiUP/CN=pd[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /tidb-deploy-test1/tidb-4100/tls/tidb.crtsubject= /O=PingCAP/OU=TiUP/OU=tidb/CN=tidb[tidb@vm10-2-103-12 ~]$ openssl x509 -noout -subject -in /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crtsubject= /O=PingCAP/OU=TiUP/OU=tiup-cluster-client/CN=tidb-test1-client
[tidb@vm10-2-103-12 tlsold]$ openssl x509 -text -in tidb.crt -noout |grep -A 1 Alternative X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.12[tidb@vm10-2-103-12 tlsold]$ openssl x509 -text -in pd.crt -noout |grep -A 1 Alternative X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.12
复制代码
手工方式重建组件证书
从 v8.4.0 起,PD 的
cert-allowed-cn配置项支持设置多个值。你可以根据需要在 TiDB 的cluster-verify-cn配置项以及其它组件的cert-allowed-cn配置项中设置多个Common Name。需要额外注意的是,TiUP 在查询组件状态的时候会使用独立的标识,比如集群名是test,它会使用test-client作为Common Name。
对于 v8.3.0 及之前版本,PD 的
cert-allowed-cn配置项只能设置一个值。因此,所有认证对象的Common Name必须设置成同一个值。
校验调用方身份可以防止未授权的用户对管理端口进行访问,在启用调用方身份验证前,v8.4.0 前,需要利用原 CA 证书重建组件证书需要将证书的 commonName 设置成同一个值(TiDB)。
在 TiUP 主机上复制 CA 证书。
[tidb@vm10-2-103-12 ~]$ cd /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/[tidb@vm10-2-103-12 tls]$ lsca.crt ca.pem client.crt client.pem client.pfx[tidb@vm10-2-103-12 tls]$ mkdir ~/tidbcrt[tidb@vm10-2-103-12 tls]$ cp ca.crt ~/tidbcrt/[tidb@vm10-2-103-12 tls]$ cp ca.pem ~/tidbcrt/[tidb@vm10-2-103-12 tls]$ cd ~/tidbcrt/[tidb@vm10-2-103-12 tidbcrt]$ lsca.crt ca.pem[tidb@vm10-2-103-12 crt]$ cp /etc/pki/tls/openssl.cnf openssl_tidb.cnf[tidb@vm10-2-103-12 crt]$ vi openssl_tidb.cnf
复制代码
手工配置 openssl.conf 的 req_distinguished_name、req_extensions、subjectAltName。
由于手工配置证书较繁琐,在本例中,将 subjectAltName 可以配置为所有的集群节点 IP 地址,和同一个 common_name,实现所有组件共享证书,如果安装时使用域名,需要使用 DNS 配置方式补充所有的域名。commonName_default 配置为 TiDB。
[tidb@vm10-2-103-12 tidbcrt]$ cat openssl_tidb.cnf |grep -v ^$|grep -v ^#HOME = .RANDFILE = $ENV::HOME/.rndoid_section = new_oids[ new_oids ]tsa_policy1 = 1.2.3.4.1tsa_policy2 = 1.2.3.4.5.6tsa_policy3 = 1.2.3.4.5.7[ ca ]default_ca = CA_default # The default ca section[ CA_default ]dir = /etc/pki/CA # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file. # several ctificates with same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the certname_opt = ca_default # Subject Name optionscert_opt = ca_default # Certificate field optionsdefault_days = 365 # how long to certify fordefault_crl_days= 30 # how long before next CRLdefault_md = sha256 # use SHA-256 by defaultpreserve = no # keep passed DN orderingpolicy = policy_match[ policy_match ]countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[ policy_anything ]countryName = optionalstateOrProvinceName = optionallocalityName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional[ req ]default_bits = 2048default_md = sha256default_keyfile = privkey.pemdistinguished_name = req_distinguished_nameattributes = req_attributesx509_extensions = v3_ca # The extentions to add to the self signed certstring_mask = utf8onlyreq_extensions = v3_req # The extensions to add to a certificate request[ req_distinguished_name ]0.organizationName = Organization Name (eg, company)0.organizationName_default = PingCAPorganizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_default = TiUPcommonName = Common Name (eg, your name or your server\'s hostname)commonName_default = TiDBcommonName_max = 64[ req_attributes ]challengePassword = A challenge passwordchallengePassword_min = 4challengePassword_max = 20unstructuredName = An optional company name[ usr_cert ]basicConstraints=CA:FALSEnsComment = "OpenSSL Generated Certificate"subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer[ v3_req ]keyUsage = critical, digitalSignature, keyEnciphermentextendedKeyUsage = clientAuth, serverAuthsubjectAltName = @alt_names[ alt_names ]DNS.1 = localhostIP.1 = 127.0.0.1IP.2 = 10.2.103.64IP.3 = 10.2.103.12IP.4 = 10.2.103.28IP.5 = 10.2.103.147IP.6 = 10.2.103.202IP.7 = 10.2.103.92[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier = keyid:alwaysbasicConstraints = CA:true[ crl_ext ]authorityKeyIdentifier=keyid:always[ proxy_cert_ext ]basicConstraints=CA:FALSEnsComment = "OpenSSL Generated Certificate"subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuerproxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo[ tsa ]default_tsa = tsa_config1 # the default TSA section[ tsa_config1 ]dir = ./demoCA # TSA root directoryserial = $dir/tsaserial # The current serial number (mandatory)crypto_device = builtin # OpenSSL engine to use for signingsigner_cert = $dir/tsacert.pem # The TSA signing certificate # (optional)certs = $dir/cacert.pem # Certificate chain to include in reply # (optional)signer_key = $dir/private/tsakey.pem # The TSA private key (optional)default_policy = tsa_policy1 # Policy if request did not specify it # (optional)other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)accuracy = secs:1, millisecs:500, microsecs:100 # (optional)clock_precision_digits = 0 # number of digits after dot. (optional)ordering = yes # Is ordering defined for timestamps? # (optional, default: no)tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no)ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no)
复制代码
生成组件证书
[tidb@vm10-2-103-12 tidbcrt]$ openssl genrsa -out tidb.key 2048[tidb@vm10-2-103-12 tidbcrt]$ openssl req -new -key tidb.key -out tidb.csr -config openssl_tidb.cnfYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Organization Name (eg, company) [PingCAP]:Organizational Unit Name (eg, section) [TiUP]:Common Name (eg, your name or your server's hostname) [TiDB]:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:[tidb@vm10-2-103-12 tidbcrt]$ lsca.crt ca.pem openssl.cnf openssl_tidb.cnf tidb.csr tidb.key[tidb@vm10-2-103-12 tidbcrt]$ openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.pem -CAcreateserial -in tidb.csr -out tidb.crt -extensions v3_req -extfile openssl_tidb.cnfSignature oksubject=/O=PingCAP/OU=TiUP/CN=TiDBGetting CA Private Key
复制代码
新证书包含所有组件 IP 地址,由于 CN=TiDB 也是标准配置。
[tidb@vm10-2-103-12 tidbcrt]$ openssl x509 -text -in /home/tidb/tidbcrt/tidb.crt -nooutCertificate: Data: Version: 3 (0x2) Serial Number: f8:01:3b:c4:c4:d8:7a:30 Signature Algorithm: sha256WithRSAEncryption Issuer: O=PingCAP, OU=TiUP Validity Not Before: May 5 08:50:09 2024 GMT Not After : May 3 08:50:09 2034 GMT Subject: O=PingCAP, OU=TiUP, CN=TiDB Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cf:e5:80:03:4c:6e:e8:1f:e6:67:46:ab:88:de:... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.64, IP Address:10.2.103.12, IP Address:10.2.103.28, IP Address:10.2.103.147, IP Address:10.2.103.202, IP Address:10.2.103.92 Signature Algorithm: sha256WithRSAEncryption 26:d1:f7:37:76:fc:c0:f1:e9:89:a3:c6:a9:b3:de:85:e8:19:...
复制代码
与原来的组件证书对比 X509v3 extensions 属性配置一致。
[tidb@vm10-2-103-12 crt]$ openssl x509 -text -in /tidb-deploy-test1/tidb-4100/tls/tidb.crt -nooutCertificate: Data: Version: 3 (0x2) Serial Number: d7:b3:af:df:e3:b1:8e:2e:3f:b2:f7:de:14:ba:c1:1e Signature Algorithm: sha256WithRSAEncryption Issuer: O=PingCAP, OU=TiUP Validity Not Before: May 5 06:46:19 2024 GMT Not After : May 3 06:46:19 2034 GMT Subject: O=PingCAP, OU=TiUP, OU=tidb, CN=tidb Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d8:fe:3a:b6:c1:b2:bd:e9:05:05:5c:55:b0:0e:... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Authority Key Identifier: keyid:65:AA:D3:27:5D:EC:F3:53:C4:AE:46:8A:F1:E4:22:D1:A9:E8:DF:ED
X509v3 Subject Alternative Name: DNS:localhost, IP Address:127.0.0.1, IP Address:10.2.103.12 Signature Algorithm: sha256WithRSAEncryption 1d:7f:30:96:dd:07:05:4a:0c:c4:53:5a:42:95:cf:f3:52:d8:...
复制代码
推送新的证书
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tidb-4100/tls" -R tidbtiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/tidb-4100/tls /tidb-deploy-test1/tidb-4100/tlsold" -R tidbtiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tidb-4100/tlsold" -R tidbtiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/tidb-4100/tls/tidb.pem -R tidbtiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/tidb-4100/tls/tidb.crt -R tidb
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tikv-21160/tls" -R tikvtiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/tikv-21160/tls /tidb-deploy-test1/tikv-21160/tlsold" -R tikvtiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/tikv-21160/tlsold" -R tikvtiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/tikv-21160/tls/tikv.pem -R tikvtiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/tikv-21160/tls/tikv.crt -R tikv
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/pd-2479/tls" -R pdtiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/pd-2479/tls /tidb-deploy-test1/pd-2479/tlsold" -R pdtiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/pd-2479/tlsold" -R pdtiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/pd-2479/tls/pd.pem -R pdtiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/pd-2479/tls/pd.crt -R pd
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/prometheus-9290/tls" -R prometheustiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/prometheus-9290/tls /tidb-deploy-test1/prometheus-9290/tlsold" -R prometheustiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/prometheus-9290/tlsold" -R prometheustiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/prometheus-9290/tls/prometheus.pem -R prometheustiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/prometheus-9290/tls/prometheus.crt -R prometheus
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/grafana-3100/tls" -R grafanatiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/grafana-3100/tls /tidb-deploy-test1/grafana-3100/tlsold" -R grafanatiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/grafana-3100/tlsold" -R grafanatiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/grafana-3100/tls/grafana.pem -R grafanatiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/grafana-3100/tls/grafana.crt -R grafana
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/alertmanager-9193/tls" -R alertmanagertiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/alertmanager-9193/tls /tidb-deploy-test1/alertmanager-9193/tlsold" -R alertmanagertiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/alertmanager-9193/tlsold" -R alertmanagertiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/alertmanager-9193/tls/alertmanager.pem -R alertmanagertiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/alertmanager-9193/tls/alertmanager.crt -R alertmanager
tiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/cdc-8400/tls" -R cdctiup cluster exec tidb-test1 --command "cp -rp /tidb-deploy-test1/cdc-8400/tls /tidb-deploy-test1/cdc-8400/tlsold" -R cdctiup cluster exec tidb-test1 --command "ls /tidb-deploy-test1/cdc-8400/tlsold" -R cdctiup cluster push tidb-test1 tidb.key /tidb-deploy-test1/cdc-8400/tls/cdc.pem -R cdctiup cluster push tidb-test1 tidb.crt /tidb-deploy-test1/cdc-8400/tls/cdc.crt -R cdc
cp tidb.key /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.pemcp tidb.crt /home/tidb/.tiup/storage/cluster/clusters/tidb-test1/tls/client.crt
复制代码
注意:如果有新扩容的节点,需要重新加入 IP 清单,生成推送一次证书。
注意:如果是 tiup cluster display 显示 tidb-server 的状态不正常,可能是 tiup 节点的证书替代的最后两步未执行。
集群启用 common name
集群启用 common name 后,会对客户端的证书验证 common name 是否符合条件。前置生成 证书的步骤中,已经将证书的 common name 统一成 TiDB,所以配置项中的验证值也是 TiDB。
[tidb@vm10-2-103-12 tidbcrt]$ tiup cluster edit-config tidb-test1 global: user: tidb ssh_port: 22 ssh_type: builtin enable_tls: true deploy_dir: /tidb-deploy-test1 data_dir: /tidb-data-test1 os: linux systemd_mode: systemmonitored: node_exporter_port: 9200 blackbox_exporter_port: 9215 deploy_dir: /tidb-deploy-test1/monitor-9200 data_dir: /tidb-data-test1/monitor-9200 log_dir: /tidb-deploy-test1/monitor-9200/logserver_configs: tidb: security.cluster-verify-cn: - TiDB tikv: security.cert-allowed-cn: - TiDB pd: security.cert-allowed-cn: - TiDB replication.location-labels: - zone - host tidb_dashboard: {} tiflash: {} tiproxy: {} tiflash-learner: {} pump: {} drainer: {} cdc: security.cert-allowed-cn: - TiDB kvcdc: {} grafana: {}tidb_servers:
[tidb@vm10-2-103-12 tidbcrt]$ tiup cluster reload tidb-test1
复制代码
启用 common name 后的保护效果
10080 8300 等管理端口不再可以被访问,漏扫主机也不能访问这个端口。
启用 common name 的后续操作
恢复 PD 的三个节点的数量。
node_exporter 9100 端口和 blackbox_exporter 9115 端口两个组件是第三方组件, prometheus 社区认为 debug pprof 接口并不会导致安装问题,所以不提供关闭参数等修复方案,目前可行的方式是根据源代码手工注释 debug 模块后编译后更新二进制,建议进行安全备案说明。
总结
TLS 证书 common name 可以实现管理端口的保护,TiUP 组件有计划在未来版本升级后可以实现证书 common name 的统一配置。
划线
评论
复制
发布于: 刚刚阅读数: 3
版权声明: 本文为 InfoQ 作者【TiDB 社区干货传送门】的原创文章。
原文链接:【http://xie.infoq.cn/article/d80c61ff05fa75e38fd2a9bda】。文章转载请联系作者。
TiDB 社区干货传送门
关注
TiDB 社区官网:https://tidb.net/ 2021-12-15 加入
TiDB 社区干货传送门是由 TiDB 社区中布道师组委会自发组织的 TiDB 社区优质内容对外宣布的栏目,旨在加深 TiDBer 之间的交流和学习。一起构建有爱、互助、共创共建的 TiDB 社区 https://tidb.net/
评论