我试图让外部客户端通过一个非常严格的学院防火墙访问我的数据库服务器,即只有端口80和443打开。 为了允许客户端与服务器通信,我计划将服务器侦听的端口从(默认为MySQL)端口3306更改为端口80.在更改/var/mysql/my.cnf文件中的设置以反映更改我希望,MySQL服务器拒绝启动。
Server: Debian 8.0 x64 MySQL Server: 5.5.57-0+deb8u1 configurationMySQL:(/etc/mysql/my.cnf)
[client] port = 80 socket = /var/run/mysqld/mysqld.sock [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 80 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql skip-external-locking #bind-address = 127.0.0.1 key_buffer = 16M max_allowed_packet = 16M thread_stack = 192K thread_cache_size = 8 myisam-recover = BACKUP #max_connections = 100 #table_cache = 64 #thread_concurrency = 10 query_cache_limit = 1M query_cache_size = 16M #general_log_file = /var/log/mysql/mysql.log #general_log = 1 log_error = /var/log/mysql/error.log expire_logs_days = 10 max_binlog_size = 100M [mysqldump] quick quote-names max_allowed_packet = 16M [mysql] #no-auto-rehash # faster start of mysql but no tab completition [isamchk] key_buffer = 16M !includedir /etc/mysql/conf.d/
注意:唯一的改变是对[client]端口,[mysqld]端口和注释'bind-address'。
在尝试启动服务器时,日志(/var/log/mysql/error.log)指出:
171013 1:25:50 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead. 171013 1:25:50 [Note] Plugin 'FEDERATED' is disabled. 171013 1:25:50 InnoDB: The InnoDB memory heap is disabled 171013 1:25:50 InnoDB: Mutexes and rw_locks use GCC atomic builtins 171013 1:25:50 InnoDB: Compressed tables use zlib 1.2.8 171013 1:25:50 InnoDB: Using Linux native AIO 171013 1:25:50 InnoDB: Initializing buffer pool, size = 128.0M 171013 1:25:50 InnoDB: Completed initialization of buffer pool 171013 1:25:50 InnoDB: highest supported file format is Barracuda. 171013 1:25:51 InnoDB: Waiting for the background threads to start 171013 1:25:52 InnoDB: 5.5.57 started; log sequence number 1595685 171013 1:25:52 [Note] Server hostname (bind-address): '0.0.0.0'; port: 80 171013 1:25:52 [Note] - '0.0.0.0' resolves to '0.0.0.0'; 171013 1:25:52 [Note] Server socket created on IP: '0.0.0.0'. 171013 1:25:52 [ERROR] Can't start server: Bind on TCP/IP port: Permission denied 171013 1:25:52 [ERROR] Do you already have another mysqld server running on port: 80 ? 171013 1:25:52 [ERROR] Aborting 171013 1:25:52 InnoDB: Starting shutdown... 171013 1:25:52 InnoDB: Shutdown completed; log sequence number 1595685 171013 1:25:52 [Note] /usr/sbin/mysqld: Shutdown complete
这表明端口80正在被另一个进程使用,但是对于全新安装的服务器来说这是不对的。 只有MySQL服务器和Fail2Ban安装额外,另一个进程不能使用它。
'netstat -pln'证实了这一点:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3070/sshd tcp6 0 0 :::22 :::* LISTEN 3070/sshd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] SEQPACKET LISTENING 969834547 1/systemd /run/udev/control unix 2 [ ACC ] STREAM LISTENING 969834550 1/systemd /run/systemd/journal/stdout unix 2 [ ACC ] STREAM LISTENING 970364573 1/systemd /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 972931518 5692/python /var/run/fail2ban/fail2ban.sock
任何人都可以提出一个解决这个和/或给出推理为什么服务器不会启动端口80?
鉴于这些限制
80和443可用 并牢记安全
< 1024需要root权限) 我build议让SSH或OpenVPN侦听端口443 。 这样,您可以将MySQL保留在默认端口3306并允许仅从localhost (SSH隧道的情况下)或OpenVPN使用的内部IP池访问。 使这种方法更好的其他原因包括:
80上有内容过滤。 透明的代理会丢弃MySQLstream量,因为它只是假设HTTPstream量。 443上尝试检测encryption的非HTTPSstream量很困难,也不常见。 因此,SSH和OpenVPN都可以在大多数远程位置上运行。 80或443 。 这意味着如果将来服务的数量增加,那么您最多可以允许2个不同的协议,而使用SSH隧道或VPN则没有任何限制。 正如Esa Jokinen所build议的,我取下了服务器的HTTPS端口,并将其专用于SSH。 然后,我可以通过隧道的大学防火墙,因为内容不被过滤。 使用PuTTY我能够创build这个隧道,并为其分配一个端口,以允许MySQL的stream量通过 – 工作的一种享受!
对于那些希望在Windows上执行相同操作的人,我遵循本指南;
https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/